anonym.legal

By · Last updated 2026-03-16

Rudi kwa BlogKitaalamu

Kutathmini Madai ya ZK Baada ya LastPass

$438M iliibwa kutoka kwa watumiaji wa LastPass baada ya 'hifadhidata zilizofichwa' kuvunjwa. Faini ya ICO ya pauni 1.2M ilifuata. Hapa kuna orodha ya kukagua kwa kutathmini kama madai ya muuzaji ni ya kweli.

March 16, 20268 dakika kusoma
zero-knowledge evaluationvendor security assessmentLastPass breachcloud encryption claimsGDPR Article 32

Pengo Kati ya Dai na Usanifu

Imesasishwa kwa 2026

Kila muuzaji wa wingu anasema kitu kimoja: "Tunasimba fiche data yako." Dai hilo karibu daima ni kweli. Karibu daima halikidhi.

Uvunjaji wa LastPass wa 2022 ni mfano bora. LastPass ilisimba fiche hifadhidata za nywila za watumiaji. Walitumia usimbaji fiche wa kweli. Dai lilikuwa sahihi. Na hata hivyo watumiaji milioni 25 walikuwa na hifadhidata zao zilibiwa. Kufikia 2025, $438 milioni ilikuwa imeibiwa kutoka kwa watumiaji wa LastPass katika wizi wa sarafu za kidijitali. Coinbase Institutional ilifuatilia takwimu hii.

Ofisi ya Makamishna wa Habari wa Uingereza ilifahuliwa huluki ya LastPass ya UK pauni 1.2 milioni Desemba 2025. Sababu: "kushindwa kutekeleza hatua zinazofaa za usalama wa kiufundi na wa shirika." Usimbaji fiche ulikuwa wa kweli. Lakini haukukidhi kiwango kinachohitajika.

Kesi ya LastPass inabadilisha swali kuu kwa zana yoyote ya faragha ya wingu. Si "Je, wanasimba fiche data yetu?" bali: "Je, wanaweza kusimbua fiche data yetu?"

Maswali Manne Yanayofaa Kweli Kweli

Maswali manne yanafichua kama dai la zero-knowledge la muuzaji linashikilia.

1. Utokaji wa funguo unafanyika wapi?

Katika muundo wa kweli wa zero-knowledge, utokaji wa funguo unafanyika kwenye mteja. Hii inamaanisha katika kivinjari au programu ya eneo-kazi, kabla data yoyote kutumwa. Ufunguo unasimba fiche data kwa eneo. Nakala iliyosimbwa fiche tu ndiyo inayofikia seva za muuzaji.

Ikiwa muuzaji anatoa funguo kwenye seva zake, wanashikilia funguo. Wakishikilia funguo, wanaweza kusimbua fiche. Dai linaweza kuwa sahihi -- lakini linapotosha.

2. Je, muuzaji anawahi kuona maandishi wazi?

Zana fulani zinasimba fiche data iliyohifadhiwa. Lakini zinaisimbua fiche kwa usindikaji. Hii inaweza kutokea kuendesha mifano ya AI, faharasa za utafutaji, au kumbukumbu za ukaguzi. Katika dirisha hilo, maandishi wazi yako kwenye mifumo ya muuzaji. Shambulio wakati huo linafichua data isiyosimbwa fiche.

3. Kinatokea nini chini ya mchakato wa kisheria?

Muuzaji mwenye funguo za upande wa seva anaweza kulazimishwa kutoa maudhui yaliyosimbuliwa fiche. Muuzaji mwenye zero-knowledge ya kweli anaweza tu kutoa maandishi yaliyosimbwa fiche. Hawana chochote cha kuleta, hata chini ya hati ya pekee.

4. Ni nini kinachofichuliwa katika kuathiriwa kwa seva kamili?

Katika mfumo wa kweli wa zero-knowledge, kuathiriwa kwa kamili kunatoa blobs zilizosimbwa fiche tu. Mshambuliaji anapata maandishi yaliyosimbwa fiche bila funguo. Katika mfumo wa funguo za muuzaji, uvamizi unafichua funguo na data kwa wakati mmoja.

Pengo la Utekelezaji wa LastPass

Tukio la LastPass lilifunua kasoro moja mahususi. Akaunti za zamani zilitumia PBKDF2 na kama mzunguko 1 kwa utokaji wa funguo. Hesabu salama ni mzunguko 600,000. Mpangilio huo dhaifu ulifanya mashambulizi ya nguvu ya kutafuta kwenye hifadhidata zilizoibiwa kuwa rahisi.

Hii inaonyesha kwa nini kukagua muundo peke yake hakutoshi. Muuzaji anaweza kutumia muundo wa zero-knowledge na bado kuutekeleza vibaya. Uliza kuhusu vyote viwili: mahali funguo zinatokewa, na jinsi algoriti inavyotengenezwa.

Njia Tofauti ya Kushindwa: Okta

Oktoba 2023, Okta ilifichua uvujaji wa rekodi 600,000+ za msaada wa wateja. Okta ni jukwaa la utambulisho. Haikuwa muundo dhaifu wa zero-knowledge. Ilikuwa uvamizi wa mfumo wa msaada ulioshikilia data ya mteja.

Ongezeko la 300% la mashambulizi ya SaaS mwaka 2024 (AppOmni/CSA) linaonyesha aina zote mbili za kushindwa. Muundo wa zero-knowledge unashughulikia aina ya kwanza. Hauondoi hatari yote. Lakini unohakikisha kuathiriwa kwa mfumo kamili hakufichulio data ya mteja inayoweza kusimbuliwa.

Tathmini Halisi Inaonekanaje

Hapa kuna orodha ya kukagua ya vitendo kwa timu za manunuzi.

Ukaguzi wa usanifu:

  • Uliza mahali utokaji wa funguo unafanyika -- kwenye mteja au kwenye seva ya muuzaji
  • Omba algoriti ya usimbaji fiche, urefu wa ufunguo, na hesabu ya mzunguko
  • Thibitisha maandishi wazi hayatumiwi kwenye seva za muuzaji

Jaribio la hali ya kuathiriwa:

  • Uliza kuathiriwa kwa seva kamili kungeweza kufichua nini
  • Jibu pekee sahihi: "maandishi yaliyosimbwa fiche ambayo hatuwezi kusimbua"
  • Jibu lolote lingine linamaanisha dai si zero-knowledge ya kweli

Ukaguzi wa mchakato wa kisheria:

  • Uliza kama muuzaji anaweza kutii hati ya pekee kwa maandishi wazi ya mteja
  • Muuzaji wa kweli wa zero-knowledge hawezi kutoa asiyoshikilia

Ukaguzi wa uzingatifu:

  • Omba nyaraka za Kifungu cha 32 cha GDPR za muuzaji
  • ISO 27001 -- hasa udhibiti wa kriptografia wa Kiambatisho A -- inatoa uthibitishaji wa nje

Faini ya ICO ya pauni 1.2 milioni ya LastPass inaonyesha wasimamizi sasa wanaangalia kama madai ya usimbaji fiche yanakidhi kiwango kinachohitajika. Timu za manunuzi zinaweza kutumia jaribio hilo hilo kabla tukio halijatokea.

Angalia muhtasari wetu wa usalama na uzingatifu kwa jinsi anonym.legal inavyoshughulikia zero-knowledge. Nyaraka za uzingatifu zinashughulikia Kifungu cha 32 cha GDPR kikamilifu. Kwa maswali ya kawaida, angalia Maswali Yanayoulizwa Mara Kwa Mara ya zero-knowledge.

Vyanzo

Makala Zinazohusiana

Kitaalamu

Cross-Platform PII: Mac, Linux, and Windows

Privacy officers on Mac, legal on Windows, data engineers on Linux — all processing the same data with different tools. Here's why OS-agnostic detection.

Kitaalamu

Cross-Application PII: Word, Chrome, and AI

Customer data flows from browser research to Word drafts to Claude prompts. Each context switch is a potential leakage point.

Kitaalamu

GDPR in App Logs: JSON PII Compliance

Application logs contain customer email addresses, IPs, and account numbers that GDPR Article 5(1)(e) requires be managed.

Tayari kulinda data yako?

Anza kuanonymisha PII na aina 285+ za vitu katika lugha 48.

Anza Jaribio la BureTazama Vipengele

About this page

We update this page when our platform or the law changes.

Read our founder note for how we work.

Each change shows up in the timestamp at the top.

Related reading

We follow these rules

  • GDPR (EU 2016/679).
  • ISO/IEC 27001:2022.
  • NIS2 (EU 2022/2555).
  • HIPAA safe harbor under 45 CFR § 164.514(b)(2).

Our promise

We do not sell your data.

We do not train models on your text.

We store your files in Germany.

You can delete your account at any time.

You own your work.

Where we run

Our servers live in Falkenstein, Germany.

We use Hetzner. They hold ISO 27001 certification.

All data stays in the EU.

Backups run every day.

Need help?

Email support@anonym.legal.

We reply within one business day.

How we test

We run a full check suite on every release.

Each surface gets its own sweep script and report.

Human reviewers spot-check the output each week.

We track recall and precision on a labelled set.

Bad runs block the deploy.

What we never do

  • We never sell your information to third parties.
  • We never train models on what you upload.
  • We never keep your work after you delete it.
  • We never share keys with any outside firm.
  • We never run ads inside the product.

Plans in plain words

We sell credits, not seats.

One credit covers one short job.

Long jobs use a few credits each.

You can top up at any time.

Unused credits roll over each month.

Read the plans page for current rates.

Who built this

A small team of engineers and lawyers built this.

We ship from Europe and work in the open.

Our founder note spells out why we started.

Where to start

How the parts fit

A browser add-on cleans text inside Chrome.

A Word plug-in handles drafts in Office.

A small desktop tool works on whole folders.

An agent protocol link feeds large models safely.

All four share one core engine and one rule set.

Words from our team

We started this work after a lunch about cookies.

One friend kept getting odd ads on her phone.

We asked why a court file leaked through a draft.

We sketched the first build on a napkin that week.

By month three we had a tiny demo for a friend.

She used it on her first case the next day.

Common questions we hear

Can the tool read scanned PDFs? Yes, with OCR.

Does it work on long files? Yes, in small chunks.

Can I roll my own rule set? Yes, save it as a preset.

Does it run offline? The desktop build runs offline.

Do you keep my files? No, the cloud build wipes after each run.

Will it learn from my work? No, we never train on inputs.

A short tour of the workflow

Upload a file or paste a snippet of prose.

Pick the entities you want gone from the draft.

Choose a method: replace, mask, hash, encrypt, or redact.

Press run and watch the side panel show each hit.

Skim the result and tweak any rule that misfired.

Save the cleaned file or send it to a teammate.