Aug 6, 2014

The CyberVor Data Breach: What You Need to Know

News broke on August 5th that Hold Security, an information security and investigations company, discovered a Russian cybercrime ring that had amassed over 4.5 billion consumer records. According to the New York Times, the records mostly consisted of stolen login credentials (usernames and passwords) accumulated from over 420,000 websites, containing over half a billion unique email addresses. The cybercrime ring was dubbed “CyberVor”, Vor meaning “theft” in Russian.

While some sources remain skeptical of the details, news of the "CyberVor breach" has caused widespread concern. Allegedly, "CyberVor" used stolen credentials from the black market to distribute malware and build a botnet, then perpetrated vulnerabilities on websites big and small in order to gather more data.

As we monitor the situation and ascertain the authenticity of the details, we highly recommend using our steps below to mitigate any potential impact of the CyberVor breach and to increase your password hygiene. While your LastPass account is not affected, if you have reused your master password on any other sites it is absolutely critical that you update it now (via the LastPass vault in the "Settings" menu).

Mitigating the Impact of the CyberVor Breach


Start using a password manager. If you are not yet using LastPass or a password manager, we advise getting started immediately. Using a password manager centralizes your logins and passwords in one, secure place. Many people are surprised by just how many passwords they have once they pull what they have saved in their browsers into a password manager. A password manager also makes it easy to follow best practices with passwords and online security.

Run the Security Check. The LastPass Security Check identifies any weak or duplicate passwords, tells you if any sites were affected by Heartbleed, and gives you an overall “security score” so you can understand how you’re progressing with your password security. To run it, click the LastPass icon in your browser toolbar, then under the “Tools” sub-menu select the “Security Check”.

Replace duplicate passwords with generated ones. After running the Security Check, you’ll know which sites have weaker passwords, and you can start updating them. Begin with the most important sites - financial, email, and social. You can launch the site straight from the security check and login, then go to your account settings page on that website, and use LastPass to replace the old password. Repeat for all sites using weak, duplicate, and old passwords. Learn more.

Turn on multifactor authentication.
Multifactor authentication adds another security layer to your account by requiring that you confirm “something you have” (like a Google Authenticator code) after submitting “something you know” (your LastPass email address and master password). LastPass supports 10 multifactor authentication options, giving you the flexibility to choose one that suits your work flow best. Learn more.

Online security is about mitigation and remaining proactive. The protection of your online identity is in part dependent on utilizing strong, unique passwords for all of your online accounts. Just like you wouldn't give your one house key to someone you don't trust, don't give the same password to every website you use. By replacing weak and duplicate passwords, using multifactor authentication, and centralizing your accounts with a password manager, you’ll help mitigate the potential impact of this massive data breach and others in the future.

23 comments:

  1. Do you have any plans to add a check to the LastPass Security Check whether email addresses are found in this database?

    ReplyDelete
    Replies
    1. It's already implemented, this check is performed while checking your security score.

      Delete
    2. Fantastic, thank you!

      Delete
    3. For this particular breach we don't yet have a list - if that becomes available we would certainly looking at integrating to the security check results.

      Delete
    4. Thanks for your reply Amber. That's all I wanted to know.

      Delete
  2. Didn't this news story just break a few hours ago?? Very impressed with your response time!

    ReplyDelete
    Replies
    1. Thanks! Appreciate the positive feedback.

      Delete
  3. http://www.theverge.com/2014/8/6/5973729/the-problem-with-the-new-york-times-biggest-hack-ever is worth a read here. Note that the list of accounts hasn't been released, so LastPass can't check it.

    ReplyDelete
    Replies
    1. Correct, we hope should the list become available to be able to check it.

      Delete
  4. Theft is кража (kraza), but вор (vor) is thief, so Cybervor actually means something more like Cyber thief

    ReplyDelete
  5. Use a cryptographic password generator like Cryptnos rather than what LastPass uses to generate passwords. The application is secure, open source, cross platform, Mobile, PC, Linux, Mac, and via a client side Website, so you can always re-generate your secure password even you're somewhere you don't have access to Lastpass (like at the bank, or a friends house). It uses strong cryptographic hashes to generate unique passwords, using two parts, a keyphrase you choose that is associated with whatever password you need generated (like yahoo, yahoo.com, login.yahoo, whatever) and a "master password" you chose you can use that adds to generating the password, that you never need forget. (like lizzy96) if you chose a family member who was born in 96, or whatever, and you could use that as your master pass for all your password generations in addition to the keyphrase. You then chose, a hash algorythm, how many hash iterations, length of password, and any character limitations imposed on the password (some passwords can't contain special characters, for example), and bam you have your unique, cryptographic, ultra-strong password. And all you need to remember is your master password to regenerate the password. If you're on a different device, just enter in the same information, keyphrase, master pass, hash, iterations, password limit, and you can regen your password again. But it's easy to carry with you as it comes as a mobile app as well. www.cryptnos.com Check it out. Well worth it, and rock solid.

    ReplyDelete
    Replies
    1. Thanks for sharing this tip. We would hope you'd never be without LastPass, between our mobile apps, web access, and universal download options, but we appreciate the tip on other tools out there.

      Delete
    2. That reminds me a lot to Master Password, very similar if you want to compare and try it:
      http://masterpasswordapp.com/

      Delete
  6. All Hackers, please spread this hacking here in UA mind if you dont, i will help you hahaha i will try, avtcw79@gmail.com please hack all bank company here in uae, mostly ENBD & Standard Chartered Bank and DUNIA

    ReplyDelete
  7. All Hackers, please spread this hacking here in UA mind if you dont, i will help you hahaha i will try, avtcw79@gmail.com please hack all bank company here in uae, mostly ENBD & Standard Chartered Bank and DUNIA

    ReplyDelete
  8. Is LastPass working now? I can't access it from my PC or mobile devices… getting a tad concerned now ...

    ReplyDelete
  9. Not working for me either....

    ReplyDelete
  10. How long before we can expect to be able to use lastpass again?

    ReplyDelete
  11. how come my post is showing the incorrect time?

    ReplyDelete
  12. I was considering trying LastPass today but after reading of people who can't access their devices from 8am to almost 7pm I'm not ready to risk it. I was hoping to mitigate risk :(

    ReplyDelete