![]() Issues Gosney flagged included LastPass suffering a total of seven major security breaches in the last ten years, ignoring vulnerability reports, and how LastPass keeps your vault encryption key in memory.Ĭompanies get hacked all the time. Jeremi Gosney, a member of the core development team for password cracking software Hashcat, previously supported LastPass, he said in a lengthy Mastodon post in December. However the details are even more concerning.Įven before this latest blog post, some security researchers had already recommended ditching LastPass. The recent disclosure of exactly how the breach happened is useful. Investigations take time, but it is now more than 6 months since the initial breach. Now, the Monday blog post provides the extra details about how the hackers compromised the LastPass engineer. In that December blog post, LastPass said it had decommissioned the compromised developer environment and built it again from scratch. LastPass says that would be “extremely difficult.” With the latest information about targeting the engineer’s home computer, we now know just how determined this hacker was, though. But as LastPass acknowledges, the hacker may attempt to brute force these passwords. In a new blog post, LastPass said the hacker “was also able to copy a backup of customer vault data from the encrypted storage container.” LastPass stressed that customers’ website usernames and passwords were encrypted, and could only be decrypted with the individual customer’s master password. In an August blog post, LastPass said a hacker compromised a developer account and stole portions of company source code and some “proprietary LastPass technical information.” Crucially, LastPass spokesperson Nikolett Bacso Albaum told Motherboard in a statement at the time “We have no evidence that this incident involved any access to customer data or encrypted password vaults.” “Helping them harden their home network is nice, but there needs to be some big cultural improvements & better controls/detections.” For how long without anyone noticing? If that didn’t raise flags, then it won’t for an attacker either,” the pseudonymous security researcher MG tweeted after LastPass published its blog post. At least 1 of them was accessing them from a home computer. “4 people who have access to ‘the keys to the kingdom’. The sensitive information-in this case, customers’ password vaults that need the user’s master password to decrypt, but could theoretically be brute forced at some point-were stored less in a bank vault and more in a closet. LastPass had difficulty distinguishing between the activity of the worker and that of the hacker. A LastPass engineer was accessing critical services from their home computer and network. The post shows that the hacker against LastPass was resourceful and persistent, but also that LastPass was not treating its own crown jewels with the serious security practices it should have. In there, the hacker stole the keys needed to access “LastPass production backups, other cloud-based storage resources, and some related critical database backups,” the blog reads. From here, the hacker installed a keylogger, captured the engineer’s master password, bypassed the company’s multi-factor authentication protections, and accessed the corporate vault. The hackers did this by exploiting a vulnerability in a third-party media software package, which Ars Technica later reported to be Plex. Using a non-work phone or computer, you can contact Joseph Cox securely on Signal on +44 20 8133 5190, Wickr on josephcox, or hackers managed to access LastPass’ corporate vault by targeting the home computer of one of four engineers who had access to decryption keys needed to access cloud data storage where sensitive information was kept. “Our investigation has revealed that the threat actor pivoted from the first incident, which ended on August 12, 2022, but was actively engaged in a new series of reconnaissance, enumeration, and exfiltration activities,” LastPass wrote.ĭo you know anything else about the LastPass breach? We'd love to hear from you. On Monday, LastPass published a blog post which provided more information on that breach, which it is now calling “Incident 2,” because the hacker leveraged its initial access to then steal data.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |