Tag: LastPass security breach

Categories
Mobile Syrup

LastPass’ vault breach came from hacking engineer’s home computer

LastPass’s August 2022 security breach continues to get worse.

In a recent update, the company has confirmed hackers have access to customer vault data, building on news it shared in December.

The revelation stems from an August 2022 cyber attack, which allowed bad actors to access the company’s source code. LastPass originally said customer data was safe.

However, hackers were able to steal login credentials from a senior engineer through their home computer in December, gaining access to storage services containing backups of encrypted vault data containing user information.

“The threat actor was able to capture the employee’s master password as it was entered, after the employee authenticated with MFA, and gain access to the DevOps engineer’s LastPass corporate vault,” the blog post reads.

The company has four DevOps engineers who have access to the folders, and LastPass said it was “difficult” to tell the difference between legitimate and illegitimate activity.

LastPass says it has completed several actions following the December incident, including cancelling and re-issuing certificates accessed by the hackers.

Source: LastPass

Categories
Mobile Syrup

LastPass’ August breach resulted in vault leaks

Hackers that targeted LastPass in August now have access to encrypted copies of users’ password vault data.

Master passwords were not compromised, according to the company’s December 22nd blog post update.

User data was not compromised in the August breach, and hackers could only access source code and other technical information. However, hackers used this information to target an employee, gaining their credentials to access information.

The hackers accessed “basic customer account information” like company names, phone numbers, and email addresses, in addition to backup copies of users’ password vaults.

While master passwords protect this information, hackers might use brute force to access the passwords. But “it would take millions of years to guess” as long as users followed the company’s best practices guidelines for constructing passwords.

LastPass is warning users to be vigilant of phishing attacks where hackers will try to get access to information associated with master passwords.

“It is important to know that LastPass will never call, email, or text you and ask you to click on a link to verify your personal information. Other than when signing into your vault from a LastPass client, LastPass will never ask you for your master password.”

Source: LastPass

Categories
Mobile Syrup

LastPass CEO confirms August security breach exposed customer info

LastPass says a security breach in August has led to the exposure of customer information.

The password manager lets users store private passwords that are encrypted and accessed through a master password, similar to 1Password and Bitwarden.

The company has changed its original tone after initially stating no customer information was compromised.

We recently detected unusual activity within a third-party cloud storage service, which is currently shared by both LastPass and its affiliate, GoTo,” Karim Toubba, LastPass CEO, said in a blog post.

The company launched an investigation, engaged a security firm, and informed law enforcement. 

“We have determined that an unauthorized party, using information obtained in the August 2022 incident, was able to gain access to certain elements of our customers’ information.”

While Toubba said passwords remain encrypted, the company continues to investigate the scope of the breach.

Source: LastPass