![]() It's not at all clear if the company will manage to regain user trust and recover from the blow dealt to its reputation. This is an eye-watering amount of sensitive data that can now be used maliciously. Configuration data, API secrets, and third-party integration secrets.DevOps secrets that were used to gain access to LastPass's cloud-based backup storage.Unencrypted customer data, including metadata and URLs.A backup of LastPass's multi-factor authentication (MFA) database, which contained copies of LastPass MFA Authenticator seeds, and telephone numbers used for MFA (if enable).The split knowledge component ("K2") Key which can be used to decrypt customer data.In addition, the attacker now has their hands on: While LastPass mentioned this would take “millions of years”, others have rightfully noted that the time frame might be much shorter for customers who didn’t choose a strong master password to begin with. Specific login details are still protected by master passwords but should the hackers manage to crack them, they would gain full access to credentials used across the web. And as a popular tool in this space, it holds credentials for millions of users – many of whom are now at risk.Īccording to the inventory published by LastPass, we now know that the attacker managed to steal backups of all customer vault data - encrypted copies of LastPass customers' password vaults and digital access credentials. In an increasingly-digital world, they can unlock our personal correspondence, our health data, and our financial records. ![]() These credentials are the keys to every element of our online identity. It's an organization whose mission statement is closely tied to managing extremely sensitive user data - passwords. LastPass is not just another software company. The attacker used this vulnerability to gain access to cloud backups – and to access a shocking amount of the most sensitive data imaginable. A DevOps engineer was specifically targeted by the attacker, who exploited a third-party software vulnerability on the employee's home computer, along with information stolen in the first breach. Unfortunately, this was not the case in the second incident, which occurred shortly thereafter (and only discovered at the end of February). However, LastPass announced at the time that customer data wasn’t compromised. In the first incident, some proprietary data was stolen – including development and source code repositories, internal scripts, and documentation. You can find the full details elsewhere (such as in this Ars Technica story or in the LastPass blog), but to recap: LastPass suffered from two data breach incidents in August 2022. Since December, the company has been embroiled in what’s shaping up to be a major data security scandal. Written by Ofir Shaty and Ofir Balassiano.įor many LastPass employees – from software engineers to C-level executives – the last few months have been hell.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |