You may have read or received an email regarding the Lastpass breach and that a bit more data was taken than initially expected.
Lastpass claims that the breach was in their integration platform and not production. With about 1,500 organizations that rely on Lastpass API integration, this is a massive breach with a much wider blast radius.
Lastpass claim while your master password is safe, URLs linked to the API integration may have leaked including metadata such as end-user names, billing addresses, email addresses, telephone numbers, and the IP addresses from which customers were accessing the LastPass service.
Being one of the top 4 password managers i would expect quite a few Bitcoiners use Lastpass to securely generate and store their passwords, to store their intimate notes, and maybe even to store their passphrases and probably even seed words to their crypto wallets.
Here are some Password manager best practices to focus on in the new year:
-
Choose a password manager with known good reputation, preferably an open source password manager.
-
Assume your password vault will be stolen so make sure you protect with a mighty strong and long master password. On your phone enable the use biometric authentication so that you do not have to type in your mighty strong and long master password each time you need to retrieve a password or create a new password for a website.
-
Get into the habbit of routinely rotating the passwords in your password safe, including the master password.
-
Enable 2FA on your password manager, and enable geolocation if it supports that as well.
-
Remove browser extensions from unknown or dubious sources. An extension with permission to interact with a page is inherently able to access anything from that page, including an auto filled password or Bitcoin addresses. Similarly, a malicious extension can modify the contents of form fields and network requests/responses to misuse the authority of the current user login context.
Happy Holidays.