anonym.legal

By · Last updated 2026-03-17

Rudi kwa BlogKitaalamu

Uvunjaji wa LastPass: Masomo ya Usalama wa Muuzaji

LastPass ilisimba fiche data ya watumiaji wao. Hifadhidata bado ziliibwa. Rekodi 600,000+ za Okta zilifuata. Matukio ya usalama wa SaaS yaliongezeka 300% kutoka 2022 hadi.

March 17, 20268 dakika kusoma
LastPass breach lessonsSaaS vendor securitycloud vendor riskenterprise securityzero-knowledge architecture

Tukio Lililobadilisha Usalama wa Wingu

Imesasishwa kwa 2026

Uvunjaji wa LastPass wa 2022 si hasa kuhusu wasimamizi wa nywila. Ni kuhusu uaminifu. Makampuni yaliamini muuzaji wa wingu na data yao. Uaminifu huo ulivunjika. Sababu ilikuwa kasoro zilizofichwa, si uzembe.

LastPass iliuza muundo wa zero-knowledge. Kwa vitendo, haukuwa zero-knowledge. Watumiaji milioni 25 walikuwa na hifadhidata zao zilizosimbwa fiche zikiibwa. Shambulio lilifichuliwa kwanza Agosti 2022. LastPass ilibadilisha ufichuzi wake mara kadhaa. Wigo kamili ulitokea mwishoni mwa 2022.

Kwa makampuni katika afya, fedha, na kisheria, hii haikuwa habari ya mbali. Sekta hizi zinakabiliwa na dhima halisi data inapovuja. Kesi ya LastPass ilikuwa ishara ya mapema ya tatizo pana zaidi.

Kasoro Mbili Zilizofanya Shambulio Liwezekane

Ukaguzi wa baada ya tukio uligundua udhaifu mkuu mbili.

Mpangilio dhaifu wa funguo. LastPass ilitumia PBKDF2 kwa utokaji wa funguo. Akaunti mpya zilikuwa na mzunguko 100,100. OWASP inapendekeza 600,000. Akaunti za zamani zilikuwa na chini ya mzunguko 1. Mizunguko michache hufanya mashambulizi ya nguvu ya kutafuta kuwa ya haraka na ya bei ya chini. Washambuliaji wenye faili za hifadhidata waliweza kujaribu nywila kuu kwa kasi ya juu.

Metadata ya maandishi wazi. Maudhui ya hifadhidata yalisimbwa fiche. Lakini metadata haikuwa. URL, majina ya mtumiaji, na majina ya huduma yalikuwa yote yanaonekana katika data iliyoibiwa. Washambuliaji waliweza kuona huduma gani kila mtumiaji alikuwa na akaunti nazo. Hiyo iliwezesha wizi wa kulenga na kujaza nywila. Kuvunja hifadhidata haikuhitajika.

Kesi hii inaonyesha kwa nini maswali mawili lazima yaulizwe tofauti. "Je, muundo ni zero-knowledge?" ni swali moja. "Je, ujenzi ni sahihi?" ni swali tofauti.

Okta mwaka 2023: Shambulio Tofauti, Matokeo Sawa

Oktoba 2023, Okta iliripoti tukio la usalama. Hati iliyoibiwa ilimpa mshambuliaji upatikanaji wa mfumo wake wa msaada wa mteja. Shambulio lilifichua rekodi 600,000+ za msaada. Hizi zilijumuisha faili zilizopakuliwa na wateja wakati wa vikao vya msaada.

Okta ni jukwaa la usalama wa utambulisho. Tatizo haikuwa kasoro ya muundo. Ilikuwa kushindwa kwa udhibiti wa upatikanaji. Kuingia kwa mhandisi wa msaada kuliibiwa. Mshambuliaji alitumia kufikia data nyeti.

LastPass na Okta zinaonyesha njia kuu mbili za kuathiriwa na muuzaji:

  • Kushindwa kwa muundo -- madai ya zero-knowledge ambayo hayakujengwa kwa usahihi
  • Kushindwa kwa udhibiti wa upatikanaji -- hati halali zilizotumika kufikia data ambazo hazipaswa kuzifikia

Muundo wa zero-knowledge unazuia aina ya kwanza. Hauzuii mshambuliaji mwenye hati halali za msaada. Lakini unazuia mshambuliaji huyo kusoma data ya mteja. Muuzaji kamwe hashikili maudhui yanayoweza kusimbuliwa. Angalia muhtasari wetu wa usalama na uzingatifu kwa jinsi hii inavyotumika kwa zana za PII.

Matukio ya Usalama wa SaaS Yaliongezeka 300% kwa Miaka Miwili

Obsidian Security iligundua ongezeko la 300% katika matukio ya usalama ya jukwaa la SaaS kutoka 2022 hadi 2024.

Hii si ongezeko la 300% la ujuzi wa mshambuliaji. Nguvu mbili zilisukuma. Matumizi ya SaaS yalikua haraka. Washambuliaji walifuata data. Kuathiriwa kwa muuzaji mmoja kunaweza kufichua data kutoka kwa wateja makumi mara moja. Malipo hayo yanaunga mkono mashambulizi ya muuzaji dhidi ya mashambulizi ya kampuni moja.

Biashara zilizokudhani majukwaa ya wingu yalikuwa salama zinahitaji kusasisha mtazamo huo. Wauzaji wa SaaS sasa ni malengo ya msingi.

Maswali ya Kuuliza Muuzaji Yoyote wa Wingu

Kwa timu za ununuzi na usalama, orodha hii ya kukagua inashughulikia maeneo ya msingi.

Mpangilio wa usimbaji fiche:

  • Omba algoriti ya utokaji wa funguo, hesabu ya mzunguko, na mipangilio ya kumbukumbu.
  • Thibitisha hesabu za mzunguko zinakidhi viwango vya chini vya OWASP. Hiyo ni PBKDF2-SHA256 ya 600,000 au sawa na Argon2id.
  • Thibitisha utokaji wa funguo unafanya kwenye kifaa chako, si kwenye seva za muuzaji.

Kufichuliwa kwa metadata:

  • Uliza metadata gani imehifadhiwa katika maandishi wazi karibu na maudhui yaliyosimbwa fiche.
  • Omba mfano wa data. Unapaswa kuonyesha sehemu gani zimesimbwa fiche na zipi zinaonekana katika shambulio.

Upatikanaji wa msaada:

  • Uliza kama wafanyakazi wa msaada wanaweza kufikia data ya mteja.
  • Thibitisha mifumo ya msaada haiwezi kufikia maandishi wazi ya mteja.

Historia ya matukio:

  • Omba matukio yote ya awali ya usalama, ikiwa ni pamoja na yale yaliyo chini ya viwango vya ufichuzi wa umma.
  • Tathmini jinsi ufichuzi wa awali ulikuwa kamili na wa uaminifu.

Tukio la LastPass lilikuwa kushindwa kwa ujenzi na kushindwa kwa uaminifu. Wauzaji wenye majibu mahususi wanaruhusu ukaguzi halisi wa hatari. Wauzaji wenye madai ya wasiwasi wanawacha hatari imefichwa. Hatari hiyo mara nyingi inatokea tu baada ya shambulio. Angalia muhtasari wetu wa uzingatifu kwa mwongozo wa kutathmini muuzaji.

anonym.legal inatumia usanifu wa zero-knowledge kwa kutokujulikana kwa PII. Utokaji wa funguo unafanya kupitia Argon2id katika kivinjari au programu yako ya eneo-kazi. Usimbaji fiche unafanyika kabla data haijaondoka kwenye kifaa chako. Seva zinashikilia tu maandishi yaliyosimbwa fiche ambazo haziwezi kusimbua. Jifunze zaidi.

Vyanzo

Makala Zinazohusiana

Kitaalamu

Cross-Platform PII: Mac, Linux, and Windows

Privacy officers on Mac, legal on Windows, data engineers on Linux — all processing the same data with different tools. Here's why OS-agnostic detection.

Kitaalamu

Cross-Application PII: Word, Chrome, and AI

Customer data flows from browser research to Word drafts to Claude prompts. Each context switch is a potential leakage point.

Kitaalamu

GDPR in App Logs: JSON PII Compliance

Application logs contain customer email addresses, IPs, and account numbers that GDPR Article 5(1)(e) requires be managed.

Tayari kulinda data yako?

Anza kuanonymisha PII na aina 285+ za vitu katika lugha 48.

Anza Jaribio la BureTazama Vipengele

About this page

We update this page when our platform or the law changes.

Read our founder note for how we work.

Each change shows up in the timestamp at the top.

Related reading

We follow these rules

  • GDPR (EU 2016/679).
  • ISO/IEC 27001:2022.
  • NIS2 (EU 2022/2555).
  • HIPAA safe harbor under 45 CFR § 164.514(b)(2).

Our promise

We do not sell your data.

We do not train models on your text.

We store your files in Germany.

You can delete your account at any time.

You own your work.

Where we run

Our servers live in Falkenstein, Germany.

We use Hetzner. They hold ISO 27001 certification.

All data stays in the EU.

Backups run every day.

Need help?

Email support@anonym.legal.

We reply within one business day.

How we test

We run a full check suite on every release.

Each surface gets its own sweep script and report.

Human reviewers spot-check the output each week.

We track recall and precision on a labelled set.

Bad runs block the deploy.

What we never do

  • We never sell your information to third parties.
  • We never train models on what you upload.
  • We never keep your work after you delete it.
  • We never share keys with any outside firm.
  • We never run ads inside the product.

Plans in plain words

We sell credits, not seats.

One credit covers one short job.

Long jobs use a few credits each.

You can top up at any time.

Unused credits roll over each month.

Read the plans page for current rates.

Who built this

A small team of engineers and lawyers built this.

We ship from Europe and work in the open.

Our founder note spells out why we started.

Where to start

How the parts fit

A browser add-on cleans text inside Chrome.

A Word plug-in handles drafts in Office.

A small desktop tool works on whole folders.

An agent protocol link feeds large models safely.

All four share one core engine and one rule set.

Words from our team

We started this work after a lunch about cookies.

One friend kept getting odd ads on her phone.

We asked why a court file leaked through a draft.

We sketched the first build on a napkin that week.

By month three we had a tiny demo for a friend.

She used it on her first case the next day.

Common questions we hear

Can the tool read scanned PDFs? Yes, with OCR.

Does it work on long files? Yes, in small chunks.

Can I roll my own rule set? Yes, save it as a preset.

Does it run offline? The desktop build runs offline.

Do you keep my files? No, the cloud build wipes after each run.

Will it learn from my work? No, we never train on inputs.

A short tour of the workflow

Upload a file or paste a snippet of prose.

Pick the entities you want gone from the draft.

Choose a method: replace, mask, hash, encrypt, or redact.

Press run and watch the side panel show each hit.

Skim the result and tweak any rule that misfired.

Save the cleaned file or send it to a teammate.