More than $35 million has been stolen from over 150 victims since December — ‘nearly every victim’ was a LastPass user::Security experts believe some of the LastPass password vaults stolen during a security breach last year have now been cracked open following a string of cryptocurrency heists

  • @sab
    link
    English
    91 year ago

    …so far.

    For those that don’t mind self-hosting, which can be as easy as just running syncthing or resilio sync on your NAS, I can really recommend keepass.

    • @NevermindNoMind
      link
      English
      131 year ago

      Me with interest, but no technical knowledge reading your comment:

      which can be as easy as

      :-)

      running syncthing or resilio sync on your NAS

      :-(

      I didn’t understand any of those words

      • @sab
        link
        English
        21 year ago

        A NAS is a home storage server, like Synology that you can use to store images, videos and backups, etc on so you can access them from any computer or device in your home. With a couple of clicks, they can easily run applications like Syncthing or Resilio Sync, which are kinda like Dropbox, except you don’t have to pay Dropbox, you’ll just be storing the files on your own service.

        If that’s too much to handle, you can still just store your Keepass file in Dropbox, so that it’s available on all your devices. But in the end you’ll still be storing your personal data on someone else’s harddisk.

        So in short, is at easy as using a prefab service? No, you’ll have to invest some time, money, and knowledge yourself. But in the end, your data is not gathered in silo together with countless other users, which makes it a lot less attractive for hackers to try and steal it.

      • @Jerkface
        link
        English
        2
        edit-2
        1 year ago

        edit - nevermind I can’t even format a comment, let alone self host a… Thingie. What the other guy said.

    • @kadu
      link
      English
      91 year ago

      deleted by creator

      • @diffusive
        link
        English
        91 year ago

        Self hosting is less appealing for criminals, though. Especially if the protocol is “vanilla” like ssh.

        When you hack LastPass you know what you’ll find, millions of passwords. When you hack a dude ssh you have one chance over one million that there is one dude password wallet.

        It doesn’t make financial sense to hack self hosting (unless it’s specific server software)

        • @[email protected]
          link
          fedilink
          English
          1
          edit-2
          1 year ago

          There are plenty of use cases for going after self hosters. Bot farms are basically made up of “regular” computers infected with malware.

          While you’re at it and have access to tens of thousands computers, also grabbing their passwords is just a nice bonus.

          If anything, it doesn’t make financial sense not to do it. You’re right in that self hosters themselves are not the target per se. but they are targeted for other reasons, and that’s where it ends up becoming problematic.

          • @diffusive
            link
            English
            21 year ago

            You need to aumatize any operation… It’s not conceivable that an human look at every device for stuff to steal. It would be even more expensive.

            Generally all these bit malware do is 1) using a vulnerability to replicate themselves 2) mine crypto or other kind of crap. Sometimes (1) involves also stealing ssh keys but it’s not the goal, it the mean.

            Self hosting password/code/photos/whatever niches you are almost guaranteed that no human will look at hit because the amount of IoT/Routers/etc with nothing valuable beyond themselves generally composes the majority of these compromised bots

            This is just the economic incentive

            • @[email protected]
              link
              fedilink
              English
              11 year ago

              Oh yes, because automating a search for csv and json files to search for mail addresses and passwords can’t be done by malware. It must be a human.

              Common. This happens on massive scale, wether you like it or not.

              https://securityboulevard.com/2023/06/the-alarming-reality-the-extent-of-credentials-stolen-by-botnets/amp/

              https://mybroadband.co.za/news/security/452972-password-cracker-software-creates-crypto-stealing-botnets.html/amp

              https://phys.org/news/2013-12-stolen-credentials-million-compromised-accounts.amp

              • @diffusive
                link
                English
                1
                edit-2
                1 year ago

                It’s software, everything can be done. Even if username and passwords are not kept in plaintext as you suggest (and likely nobody would do)

                Problem is that the number of people that self host password repositories is so little that it makes no financial sense. And so for this reason your “massive scale” is an hyperbole because there isn’t a massive scale of people that self host password repositories

                Botnets that stole from local password repositories makes more sense because there are more people that use password managers of sort.

                Humans looking are flexible enough to look at all possible long tail cases like this… but not going to happen except for high profile targets.

                All in all what i am saying is that i don’t see clear evidence that self hosting is more dangerous (in practice) than centralized hosting

                PS: pro tip If you link references, make sure to read the references you link… The second one has nothing to do with password stealing, it was about a password cracker that was a trojan horse for a botnet. Yes, it fits the search “botnet password” but it doesn’t sustain your point