this post was submitted on 07 Sep 2023
965 points (99.0% liked)

Technology

58070 readers
2799 users here now

This is a most excellent place for technology news and articles.

Our Rules

  1. Follow the lemmy.world rules.
  2. Only tech related content.
  3. Be excellent to each another!
  4. Mod approved content bots can post up to 10 articles per day.
  5. Threads asking for personal tech support may be deleted.
  6. Politics threads may be removed.
  7. No memes allowed as posts, OK to post as comments.
  8. Only approved bots from the list below, to ask if your bot can be added please contact us.
  9. Check for duplicates before posting, duplicates may be removed

Approved Bots

founded 1 year ago
MODERATORS
L3s@lemmy.world
enu@lemm.ee
L4s@lemmy.world
fry@fry.gs
L3s@fry.gs
enu@lemmy.world
L4s@fry.gs
965
More than $35 million has been stolen from over 150 victims since December — ‘nearly every victim’ was a LastPass user (www.theverge.com)
submitted 1 year ago by L4s@lemmy.world to c/technology@lemmy.world
185 comments fedilink hide all child comments
 

More than $35 million has been stolen from over 150 victims since December — ‘nearly every victim’ was a LastPass user::Security experts believe some of the LastPass password vaults stolen during a security breach last year have now been cracked open following a string of cryptocurrency heists

you are viewing a single comment's thread
view the rest of the comments
[–] diffusive@lemmy.world 2 points 1 year ago (1 children)

You need to aumatize any operation... It's not conceivable that an human look at every device for stuff to steal. It would be even more expensive.

Generally all these bit malware do is 1) using a vulnerability to replicate themselves 2) mine crypto or other kind of crap. Sometimes (1) involves also stealing ssh keys but it's not the goal, it the mean.

Self hosting password/code/photos/whatever niches you are almost guaranteed that no human will look at hit because the amount of IoT/Routers/etc with nothing valuable beyond themselves generally composes the majority of these compromised bots

This is just the economic incentive

[–] ribboo@lemm.ee 1 points 1 year ago (1 children)

Oh yes, because automating a search for csv and json files to search for mail addresses and passwords can’t be done by malware. It must be a human.

Common. This happens on massive scale, wether you like it or not.

https://securityboulevard.com/2023/06/the-alarming-reality-the-extent-of-credentials-stolen-by-botnets/amp/

https://mybroadband.co.za/news/security/452972-password-cracker-software-creates-crypto-stealing-botnets.html/amp

https://phys.org/news/2013-12-stolen-credentials-million-compromised-accounts.amp

[–] diffusive@lemmy.world 1 points 1 year ago* (last edited 1 year ago)

It's software, everything can be done. Even if username and passwords are not kept in plaintext as you suggest (and likely nobody would do)

Problem is that the number of people that self host password repositories is so little that it makes no financial sense. And so for this reason your "massive scale" is an hyperbole because there isn't a massive scale of people that self host password repositories

Botnets that stole from local password repositories makes more sense because there are more people that use password managers of sort.

Humans looking are flexible enough to look at all possible long tail cases like this.. but not going to happen except for high profile targets.

All in all what i am saying is that i don't see clear evidence that self hosting is more dangerous (in practice) than centralized hosting

PS: pro tip If you link references, make sure to read the references you link... The second one has nothing to do with password stealing, it was about a password cracker that was a trojan horse for a botnet. Yes, it fits the search "botnet password" but it doesn't sustain your point