LastPass acknowledges customer data leak resulting from the earlier breach: LastPass, a widely used password manager, disclosed a data breach in August 2022.
About a month after the event, the company produced a brief but useful report: GoTo, now known as LogMeIn, is a software-as-a-service company.
In a nutshell, LastPass found evidence that attackers were successful in installing malware on a developer’s machine.
From there, the attackers were able to “tailgate” into the company’s development systems by waiting until the developer had completed LastPass’s authentication process, including presenting any necessary multi-factor authentication credentials.
LastPass stated that the hackers weren’t able to access any user data or anyone’s encrypted password vaults because of the developer’s account.
In the latest spate of #informationsecurity incidents, @lastpass acknowledges an incident with its Developer account leading to portins of it #SourceCode and developer environment being compromised!https://t.co/5npyKAJoL1
— Ramkumar (@nocturnalknight) August 26, 2022
However, the business did confirm that the thieves had stolen some of LastPass’s confidential data, including “parts of our source code and technical information,” and that they had been in the system for four days before being discovered and expelled.
LastPass, however, later confirmed in late November 2022 that there was more to the story than they had initially believed.
A security advisory from the corporation dated 2022-11-30 states that the company was recently breached again by attackers “using information collected in the August 2022 incident,” and that client data was taken this time.
In other words, it appears that the criminals stole internal details that later gave them or someone to whom they sold the data access to customer information, even if they weren’t able to directly dig around in customer records from the account of the developer who got infected by malware back in August.
LastPass has said that it is “working diligently to establish the scale of the problem and identify what specific information has been obtained,” but has not yet revealed what kind of user data was compromised.
Today [2022-12-01T23:30Z], all we know for sure is that [quote=”[o]ur customers’ passwords are safely encrypted due to LastPass’ Zero Knowledge architecture.”
(This is a euphemism for “zero knowledge,” which refers to the fact that LastPass stores information in its users’ password vaults but has no idea what that information is for or if it even includes account names and passwords.)
In short, your passwords are only as safe as the master password you chose for yourself, which LastPass’s cloud services never ask for and/or keep copies of, even if it turns out that the crooks could have made off with personal information like home addresses, phone numbers, and payment card details (though we hope that isn’t the case, of course).
So, what do we do now?
- Our advice to LastPass users is to regularly check the company’s security incident report for any new information.
- Cybersecurity defenders would do well to heed the counsel of Sophos cybersecurity researcher Chester Wisniewski on how to prevent a “beachhead” attack from spreading over their own information technology infrastructure.
Chester talks about a similar breach that happened in September 2022 at ride-hailing business Uber in the podcast below (there’s a full transcript if you prefer reading to listening) and reminds you why “divide and conquer,” also known as the jargon term zero trust, is an important part of modern cyber defense.
As Chester demonstrates, the consequence will undoubtedly be much worse if criminals who have access to some of your network can freely go anywhere they choose until they gain access to all of it.
Additionally, many inquire
I don’t see why a data leak would expose my password.
A second compromise is possible if you reused compromised credentials after a security breach. If your credentials were compromised, hackers may gain access to any and all of the online services and solutions you use, including your bank accounts.
Was there a security compromise in LastPass?
Despite experiencing its second data breach of 2022, password service LastPass has continued to ensure the safety of its users’ passwords. LastPass found the compromise on November 30 after noticing “strange behavior” in the cloud storage system used by a third party.
What could possibly go wrong with all my passwords in LastPass?
Any time you enter a password into your vault that is either too simple, too easily guessed or missing for the corresponding site, you put yourself in danger. All of your passwords that require attention will be displayed on the Passwords page of your vault, or on the Password Security page of your Security Dashboard.
Is there a good reason I should quit using LastPass?
However, the attack allowed for the acquisition of hashed user master passwords, email addresses, and security question answers. Because of this, a hacker might use the recovery options to take over a user’s LastPass account. It is estimated that 16 million people may have had their credentials compromised.
- Car keys can be shared in Wallet by iPhone users and non-iPhone users
- Operating System for AR/VR Headsets Called “xrOS” by Apple
- The Gorilla Glass Victus 2 should protect your phone from more severe falls
- OnePlus promises four years of Android software updates to one-up Google