More than $35 million has been stolen from over 150 victims since December — ‘nearly every victim’ was a LastPass user::Security experts believe some of the LastPass password vaults stolen during a security breach last year have now been cracked open following a string of cryptocurrency heists

  • @[email protected]
    link
    fedilink
    English
    11 year ago

    Oh yes, because automating a search for csv and json files to search for mail addresses and passwords can’t be done by malware. It must be a human.

    Common. This happens on massive scale, wether you like it or not.

    https://securityboulevard.com/2023/06/the-alarming-reality-the-extent-of-credentials-stolen-by-botnets/amp/

    https://mybroadband.co.za/news/security/452972-password-cracker-software-creates-crypto-stealing-botnets.html/amp

    https://phys.org/news/2013-12-stolen-credentials-million-compromised-accounts.amp

    • @diffusive
      link
      English
      1
      edit-2
      1 year ago

      It’s software, everything can be done. Even if username and passwords are not kept in plaintext as you suggest (and likely nobody would do)

      Problem is that the number of people that self host password repositories is so little that it makes no financial sense. And so for this reason your “massive scale” is an hyperbole because there isn’t a massive scale of people that self host password repositories

      Botnets that stole from local password repositories makes more sense because there are more people that use password managers of sort.

      Humans looking are flexible enough to look at all possible long tail cases like this… but not going to happen except for high profile targets.

      All in all what i am saying is that i don’t see clear evidence that self hosting is more dangerous (in practice) than centralized hosting

      PS: pro tip If you link references, make sure to read the references you link… The second one has nothing to do with password stealing, it was about a password cracker that was a trojan horse for a botnet. Yes, it fits the search “botnet password” but it doesn’t sustain your point