![]() ![]() LastPass has come in for plenty of criticism over its handling of the attacks in recent months, and that disapproval is unlikely to die down in light of the latest revelations. In the end, the company realized something was wrong when its AWS GuardDuty Alerts system warned it that someone was trying to use its Cloud Identity and Access Management roles to perform unauthorized activity. On a support page, LastPass said the way the second attack was carried out - by using genuine employee login details - made it difficult to detect. As well as that, it seems numerous products apart from LastPass were also breached. That included backups of LastPass’s multi-factor authentication database, API secrets, customer metadata, configuration data, and more. That said, plenty of important data was taken by the threat actors. When the hackers stole LastPass data, they were unable to get these decryption keys because they were not stored anywhere by LastPass. That means they were encrypted with a key derived from each user’s master password and unknown to LastPass. Luckily for LastPass users, it seems that customers’ most sensitive data - such as (most) email addresses and passwords - were encrypted using a zero-knowledge method. A LastPass support page details exactly what was stolen. A large amount of sensitive customer data was also stolen, although it appears the hackers were not able to decrypt it. A 2019 study found password strength increases significantly when users use an application to manage passwords.That’s important because LastPass kept production backups and critical database backups in the cloud. Security experts continue to recommend password managers as a best practice. This isn't the first time LastPass has been a target for hackers, including a 2015 incident in which attackers make off with usernames and hashed master passwords (see: LastPass Sounds Breach Alert). The company says it deployed additional security controls including extra endpoint security controls and monitoring and deployed threat intelligence capabilities as well as enhanced detection and prevention technologies for development and production environments. LastPass also partnered with an unnamed cybersecurity firm to further enhance its source code safety practices, including secure software development life cycle processes, threat modeling, vulnerability management and bug bounty programs as part of its risk management program. This capability is limited to a separate Build Release team and can only happen after the completion of rigorous code review, testing and validation processes," Toubba says. "Developers do not have the ability to push source code from the Development environment into Production. The company confirms that its code remains intact, and there is no evidence of code poisoning or malicious code injection. The notification also says that the company does not have access to the master passwords used by the customers, and without having the master password, no one can decrypt vault data as part of the company's "zero-knowledge security model." ![]() Toubba also says that the LastPass development environment is physically separated from other environments, including the production area, and has no customer data or encrypted vaults. Toubba acknowledges that the threat actor was able to access the development environment but failed to access any customer data or encrypted password vaults. "While the method used for the initial endpoint compromise is inconclusive, the threat actor utilized their persistent access to impersonate the developer once the developer had successfully authenticated using multifactor authentication," Toubba says. ![]() The breach investigation was carried out in partnership with cybersecurity firm Mandiant and uncovered that the threat actor's activity was limited to a four-day period until the incident was contained.įurther investigation from LastPass and Mandiant determined that the threat actors gained access to the development environment using a developer's compromised endpoint. In August, an unknown threat actor gained unauthorized access to the source code and proprietary technical information of LastPass (see: Hacker Steals Source Code, Proprietary Data From LastPass). "We can also confirm that there is no evidence that this incident involved any access to customer data or encrypted password vaults," Toubba says. LastPass CEO Karim Toubba, sharing details about last month's breach, confirms that there is no evidence of any threat actor activity beyond the established timeline. See Also: OnDemand Webinar | Learn Why CISOs Are Embracing These Top ASM Use Cases Now Password manager LastPass says the attackers behind the August security incident had access to its systems for four days. ![]()
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |