What we know about the LastPass breach (so far)

Technology


Breaches aren’t always what they seem and containment isn’t always guaranteed or long lasting. Just ask LastPass.

A breach of the password manager’s infrastructure, first detected in August 2022, was declared contained by LastPass CEO Karim Toubba weeks later. By late November, it was very much not contained.

While the initial breach occurred in August 2022, LastPass three months later said an unknown threat actor had accessed its cloud-based storage environment and encrypted password vaults, using information obtained during the August incident.

As the year came to a close, LastPass said customer data was significantly compromised as a result of the incident. The threat actor accessed and copied a cloud-based backup of customer vault data that included encrypted passwords, usernames and much more.

Here’s how everything unraveled, according to updates provided by LastPass. The company has not responded to requests for comment.

Aug. 25, 2022: Toubba, in a blog post, informed customers the password manager detected “some unusual activity within portions of the LastPass development environment.”

The company, following an initial investigation, said it uncovered no evidence of an unauthorized party accessing customer data or encrypted password vaults.

The unidentified threat actor gained access through a compromised developer account and stole portions of source code and proprietary technical information, Toubba said.

LastPass made a distinction between its production and development infrastructure at this stage, and said the unauthorized access was contained to its development environment, which doesn’t hold personal data.

The company, which has more than 100,000 business customers and more than 33 million registered users, said it deployed containment and mitigation measures and hired a cybersecurity and forensics firm to assist with further investigation.

“We have achieved a state of containment, implemented enhanced security measures and see no further evidence of unauthorized activity,” Toubba said.

In a brief FAQ, LastPass told users and administrators that no recommended actions need to be taken.

Sept. 15, 2022: LastPass said its security team detected a threat actor inside its development system during a four-day period and was able to contain the activity.

After it completed an investigation and forensic review with incident response firm Mandiant, LastPass said it found no further evidence of activity from a threat actor nor was any customer data or encrypted password vault accessed.

The company again emphasized that the unauthorized access was limited to its development system, which is “physically separated” from its production environment, leaving no direct access.

LastPass contained the incident sometime between mid-August when LastPass first detected the unusual activity and mid-September, Toubba said in the updated blog post.

The threat actor used a developer’s compromised endpoint to gain access to the LastPass developer environment.

“While the method used for the initial endpoint compromise is inconclusive, the threat actor utilized their persistent access to impersonate the developer once the developer had successfully authenticated using multifactor authentication,” Toubba said.

Nov. 30, 2022: For the first time, LastPass acknowledged customer data was compromised as a result of the August breach.

“We have determined that an unauthorized party, using information obtained in the August 2022 incident, was able to gain access to certain elements of our customers’ information,” Toubba said in a brief update.

The incident was now spreading and exposing customer data.

“We are working diligently to understand the scope of the incident and identify what specific information has been accessed,” Toubba said.

The company did not say when it discovered the subsequent breach, what type of customer information was exposed or how many customers were potentially compromised.

Toubba blamed “unusual activity within a third-party cloud storage service,” and LastPass reengaged with Mandiant and notified law enforcement.



Source link

Leave a Reply

Your email address will not be published. Required fields are marked *