Share this page!

John Scott-Railton Profile picture
Twitter logo
Dec 23 6 tweets 3 min read
Latest #LastPass breach may be worse than you think.

Attacker didn't just get encrypted passwords.

They got unencrypted URLs.

Think: URLs with account tokens, API keys & credentials, etc...

1/
blog.lastpass.com/2022/12/notice…
2/ Do your your employees use #LastPass?

Or how about your users?

Do you even know?

The unencrypted URL breach is bad news for your security model, and you should be thinking about mitigations.
3/ The issue: *unencrypted* URLs that #LastPass users have saved may in some cases contain sensitive information that can be leveraged for account access.

The entity that now has this trove of encrypted & unencrypted stuff is clearly well-resourced, capable and strategic.
4/ I focused in this thread on unencrypted URLs in #LastPass.

I'm especially worried about high-value users & entities.

Serious national security implications that probably need mitigating.

For 'regular' users, these are solid recommendations.👇
5/ In general, using a password manager remains a key way to stay safer online.

Here are my thoughts👇
6/ Transparency: I've redone this thread to better balance my commentary on the implications of the #LastPass data & the unencrypted URLs (which I find very alarming), with the needs of 'regular' users seeking more information about the situation.

• • •

Missing some Tweet in this thread? You can try to force a refresh
 

Keep Current with John Scott-Railton

John Scott-Railton Profile picture

Stay in touch and get notified when new unrolls are available from this author!

Read all threads

This Thread may be Removed Anytime!

PDF

Twitter may remove this content at anytime! Save it as PDF for later use!

Try unrolling a thread yourself!

how to unroll video
  1. Follow @ThreadReaderApp to mention us!

  2. From a Twitter thread mention us with a keyword "unroll"
@threadreaderapp unroll

Practice here first or read more on our help page!

More from @jsrailton

John Scott-Railton Profile picture
Dec 23
Disinformation targeting Zelensky & wife after DC visit. 👇
The account that posted that bad photoshop of Zelensky's wife... also posts plenty of Russian propaganda.

If it's not abundantly clear, there is a disinformation effort designed to weaken & split US support for Ukraine. ImageImageImageImage
Prior to Elon-twitter, this might be cause for taking a close look at the account pushing this disinformation.

Lots of questions about who is running this & whether it's part of a network.

But now? With Twitter's teams stripped, we are left to guess from the outside.
Read 4 tweets
John Scott-Railton Profile picture
Dec 23
The #LastPass breach (just the latest, btw) is frustrating.

Users that didn't follow "best practices" for their master password are vulnerable (customer password vaults were stolen!).

But also because we've collectively spent years trying to move users to password managers. 1/
2/ #LastPass has a giant target on their back because of the juicy data & password trove that they handle.

And they are absolutely failing their customers.

At this point, each time I hear about Last Pass it's: hey, they had *another breach*
3/ Use a password manager!

It makes it easy to use different passwords for each service you use.

But give #LastPass... a pass.

There many better choices.

Personally, I like @1Password (they are also recommended by @ConsumerReports).
Read 5 tweets
John Scott-Railton Profile picture
Dec 22
BREAKING: #TikTok admits to using app data to spy on journalists including @CristinaCriddle & people connected to them.

Tracked their movements.

By @MsHannahMurphy
ft.com/content/e873b9…
Looks like #TikTok is trying the "few bad apples" approach with their journalist spying internal investigation.
#TikTok spying on journalists proves that #LocationPrivacy matters.

You have no idea who is getting & leveraging logs of your movements.

Right now, the whole issue is a wild west in most jurisdictions.

Including the US.
Read 9 tweets
John Scott-Railton Profile picture
Dec 18
There's a chance I get suspended on a pretext.

I don't like that thought.

But I can't be silent.

I feel morally bound to call out what Musk is doing.
I've spent the past decade working with people targeted by dictatorships & repressive regimes.

And sure, this is a private platform and all that, but at some moments, the playbook is breathtakingly familiar.
When a powerful person uses the instruments of an institution to attack critics ... we're all harmed in different ways.

We miss out on their voices, sure.

We also miss out on a rich & honest dialogue when, from fear or pragmatism, many more start avoiding dangerous topics.
Read 10 tweets
John Scott-Railton Profile picture
Dec 16
Musk has probably discovered that it feels good to finally have direct power to punish voices he doesn't like.

I think he's just getting started.
What I think is happening: an effort inside Twitter to identify ToS violations that can be used as a justification to suspend Musk's perceived enemies.

This was accelerated with the new flight/location tracker ban, but i think it's part of something bigger & more vindictive.
This is the problem with getting power.

If you don't have self restraint, you're going to abuse it.
Read 4 tweets
John Scott-Railton Profile picture
Dec 16
BREAKING: Journalist Linette Lopez is suspended.

She has reported for years about Elon's dubious business practices at Tesla.

Her sources have previously been targeted by private spies hired by Musk.
The people that have been suspended are mostly journalists Musk is *very* familiar with.

And who are thorns in his side.
Citation by the way for the targeting of Linette Lopez's sources is here.

By @robinsonmatt & @ZekeFaux
bloomberg.com/news/features/…
Read 6 tweets

Did Thread Reader help you today?

Support us! We are indie developers!

This site is made by just two indie developers on a laptop doing marketing, support and development! Read more about the story.

Become a Premium Member ($3/month or $30/year) and get exclusive features!

Become Premium

Don't want to be a Premium member but still want to support us?

Make a small donation by buying us coffee ($5) or help with server cost ($10)

Donate via Paypal

Or Donate anonymously using crypto!

Ethereum

0xfe58350B80634f60Fa6Dc149a72b4DFbc17D341E copy

Bitcoin

3ATGMxNzCUFzxpMCHL5sWSt4DVtS8UqXpi copy

Thank you for your support!

Follow Us on Twitter!

Send Email!

:(