![]() However, LastPass did warn its customers that the threat actors may use brute force attacks as well as social engineering and phishing to guess the master passwords and decrypt the stolen copies of vault data. Nevertheless, LastPass assured that the stolen data did not include the user's master password required to access the encrypted portions of the customer’s vault data and the passwords stored with LastPass are still secure since the encryption and decryption of passwords take place on the user’s device. The customer data accessed included names, email addresses, phone numbers, billing addresses, IP addresses, and partial credit card numbers. The infamous SolarWinds hack was caused by their software development cycle being breached malware infected the code that was shipped to customers globally, ultimately infecting those customers as well.In December, LastPass shared another report that the threat actor used the information stolen in August to access a copy of the backup of customer data and password databases (vault). There have been no confirmations from LastPass on whether this happened, but it is a possibility. If the LastPass attacker was able to steal source code, this means they had access to inject a malicious payload into the software supply chain as well. Though it pains us security folks to hear it, in the dev world speed to release tends to be a priority over proper security. Why? Because it is usually a lot less work than integrating a credential vault solution or using a credentials file that a developer must maintain indefinitely. Legacy code, especially for homegrown applications, is often riddled with username and password combinations or API key credentials in cleartext for anyone to grab and use as needed. But in reality, attackers are usually after the hard-coded credentials that lie within code. When source code is stolen, most people probably assume that the purpose was to try and gain pieces of the victim’s platform to implement in a competitive product. ![]() This is likely where the second LastPass breach began its life. In this case, the developer in question had access to LastPass source code. Development resources typically have access to a company’s most critical assets, including customer data, financial records, and personally identifiable information (PII). The first LastPass breach in August was caused by the compromise of a single, privileged developer account. On the public-facing side, media scrutiny may be intense at first but will eventually subside. One of the most critical steps in a security incident investigation is forensic analysis, which reveals the intricacies of the attack and what data may have been viewed or stolen. When a company is breached for the first time, what undoubtedly follows is weeks or even months of round-the-clock engineering work to remediate and patch any vulnerabilities. The Post-Breach Fallout: Fool Me Once, Shame on Youīreaches happen and will continue to happen criticism comes when organizations do not communicate effectively or refuse to disclose incidents externally because “they’re not legally required to.” What is rare to see is a company with the notoriety of LastPass breached multiple times in quick succession, and the resulting uproar is caused not by communication issues but rather by accusations of what the breached company did not to. This rapid response lies in stark contrast to the many recent incidents in which the top names in tech have waited months to disclose breaches, told different stories internally and externally, and failed to own up to mistakes. Both times I received a prompt email from LastPass leadership detailing what happened and how the breach occurred, plus deep technical explanations ensuring that customer data was still secure. In both instances, LastPass displayed extraordinary transparency and excellent communication with its customers. This follows hot on the tail of a previous security incident in August 2022. Unfortunately, LastPass suffered a breach in late November 2022. If nothing else, this allows me to sleep better at night as the officially designated CISO of the Martin family. After using it in a corporate setting, I fell in love with the LastPass and even got my whole family onboard with it. But even while open-source and self-hosting is my jam, one of the few I do pay for is LastPass, a leading password management product. ![]() There are very few security services I pay for, especially subscription services. ![]()
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |