Search This Blog
Powered by Blogger.

Blog Archive

Labels

Load More
Trendy Right Now

Popular Posts

Showing posts with label LastPass. Show all posts
Technology
App security LastPass Password Manager Tech Giant Technology

Tech Giant Apple Launches Its Own Password Manager App

 

People with knowledge of the matter claim that Apple Inc. launched a new homegrown app this week called Passwords, with the goal of making it simpler for users to log in to websites and apps. 

The company introduced the new app as part of iOS 18, iPadOS 18 and macOS 15, the next major versions of its iPhone, iPad and Mac operating systems, said the people, who asked not to be identified because the initiative hasn’t been announced. The password-generating and password-tracking software was unveiled on June 10 at Apple's Worldwide Developers Conference. 

The new app is backed by iCloud Keychain, a long-standing Apple tool for syncing passwords and account information across several devices. This capability was previously concealed within the company's settings app or displayed when a user logged into a website. 

Apple is attempting to encourage more people to use safe passwords and improve the privacy of its devices by making the feature available as a standalone app. However, the action increases competition with third-party apps. The new app will compete with password managers such as 1Password and LastPass, and Apple will allow users to import credentials from rival services. 

The app displays a list of user logins and divides them into categories such as accounts, Wi-Fi networks, and Passkeys, an Apple-supported password replacement that uses Face ID and Touch ID.

Like most password managers, the data can be auto-filled into websites and apps when a user logs in. The software will also function with the Vision Pro headset and Windows computers. It also supports verification codes and functions as an authentication software similar to Google Authenticator. 

The Passwords push is only one part of the WWDC event. The primary focus will be Apple's artificial intelligence project, which will include features such as notification summaries, fast photo editing, AI-generated emoji, and a more powerful Siri digital assistant. Apple will also announce a collaboration with OpenAI to utilise the ChatGPT chatbot.
Read more »
User Security
attacks Crypto Crypto Apps cryptocurrency Data Breach LastPass Security Breach User Data User Privacy User Safety User Security

LastPass Security Breach Linked to Series of Crypto Heists, Say Experts

 

Security experts allege that some of the LastPass password vaults, which were stolen in a security breach towards the end of 2022, have now been successfully breached, leading to a series of substantial cryptocurrency thefts. 

According to cybersecurity blogger Brian Krebs, a group of researchers has uncovered compelling evidence linking over 150 victims of crypto theft to the LastPass service. The combined value of the stolen cryptocurrency is estimated to be over $35 million, with a frequency of two to five high-value heists occurring each month since December 2022.

Taylor Monahan, the lead product manager at MetaMask, a cryptocurrency wallet company, and a prominent figure in the investigation, noted that the common denominator among the victims was their prior use of LastPass to safeguard their "seed phrase" – a confidential digital key necessary to access cryptocurrency investments. 

These keys are typically stored on secure platforms like password managers to thwart unauthorized access to crypto wallets. Furthermore, the pilfered funds were traced to the same blockchain addresses, further solidifying the connection between the victims.

LastPass, a password management service, experienced two known security breaches in August and November of the previous year. 

During the latter incident, hackers utilized information acquired from the first breach to gain access to shared cloud storage containing customer encryption keys for vault backups. We have contacted LastPass to verify if any of the stolen password vaults have indeed been breached and will provide an update if we receive a response.

LastPass CEO Karim Toubba informed The Verge in a statement that the security breach in November is still under active investigation by law enforcement and is also the subject of pending litigation. The company did not confirm whether the 2022 LastPass breaches are related to the reported crypto thefts.

Researcher Nick Bax, who holds the position of Director of Analytics at crypto wallet recovery company Unciphered, also examined the theft data and concurred with Monahan’s conclusions in an interview with KrebsOnSecurity:

“I’m confident enough that this is a real problem that I’ve been urging my friends and family who use LastPass to change all of their passwords and migrate any crypto that may have been exposed, despite knowing full well how tedious that is.”
Read more »
User Privacy
1Password Manager Authentication Cyber Security Data Encryption Hackers LastPass User Privacy

Upgrading Online Security with Password Managers

Online security has become a major concern for individuals and businesses alike, as cyber-attacks become more sophisticated and prevalent. Passwords play a critical role in protecting online security, but the traditional method of using passwords has become inadequate due to the increasing number of online accounts people use, making it challenging to remember multiple passwords.

According to TechRadar, the use of password managers has emerged as a solution to this problem. These tools generate complex and unique passwords for each account, securely store passwords, and autofill passwords, making them convenient to use. The article suggests that password managers have become essential for enhancing online security. 

Password managers not only provide a higher level of security but also make managing passwords easier. "With the ever-increasing number of accounts people hold, there is a higher risk of password reuse, which makes users more vulnerable to cyber-attacks. A password manager can help overcome this issue," says tech writer Ashwin Bhandari. 

Android Police highlights the advantages of using password managers, including the ability to generate secure passwords and store them securely. The tool also helps users avoid the risk of weak passwords or using the same password for multiple accounts, which could make them vulnerable to cyber-attacks. 

CyberNews has compiled a list of the best password managers available, including LastPass, Dashlane, and 1Password. These password managers use strong encryption methods to protect user passwords and employ multi-factor authentication to provide an additional layer of security.

"Multi-factor authentication is the best way to protect your account from unauthorized access. While a password manager can generate and store passwords, enabling multi-factor authentication can prevent hackers from gaining access to your account even if they have your password," says cybersecurity expert John Smith.

Password managers have become a crucial tool for maintaining online security, to sum up. Users can prevent the risk of using weak passwords or the same password for many accounts by utilizing them since they make it convenient to generate and save complex passwords securely. Password managers can help people and businesses increase their internet security and defend against cyberattacks.
Read more »
Vulnerabilities and Exploits
Bug Cybersecurity Data Theft LastPass Vulnerabilities and Exploits

LastPass Breach: CISA Warns of Exploited Plex Bug

 


An employee of LastPass was responsible for the massive breach at the company as he failed to update Plex on his home computer when he was updating Plex on his work computer. A potential danger lurks in failing to keep software up-to-date, as this is a sobering reminder of the risks involved. 

In a recent report on the embattled password management service, it was revealed that unidentified actors used information stolen from a previous incident that occurred before August 12, 2022, to launch a coordinated second attack between August and October 2022 based on information that was obtained from a third-party data breach and vulnerabilities in third-party media software packages. 

In the end, an intrusion led to the adversary stealing information about customers and password vault data, which was partially encrypted. 

Secondly, an attack targeted one of the DevOps engineers, forging credentials and breaching the cloud storage environment by infecting the engineer's home computer with keylogger malware. 

In addition to a critical severity vulnerability, CISA added a known exploited vulnerability to its Known Exploited Vulnerabilities (KEV) section (tracked as CVE-2021-39144), exploited by third parties since early December. 

U.S. federal agencies have been made aware that, by a binding operational directive (BOD 22-01) issued by the Army in November 2021, they are now mandated to secure their systems against attacks until March 31st to prevent potential attacks exploiting the two security holes that could impact their networks. 

As part of its ongoing effort to identify security flaws exploited by hackers, CISA has discovered a high-severity and relatively older remote code execution (RCE) vulnerability in Plex Media Server that was discovered almost three years ago.

This issue has been tracked as CVE-2020-5741 and it has been described as a deserialization flaw in Plex Media Server that can be exploited remotely to execute arbitrary Python code, which is also described as a high-severity flaw. 

It should be noted that this vulnerability has been addressed with the release of Plex Media Server 1.19.3, which means the attacker would need administrator rights to exploit the vulnerability successfully. Due to this, it is unlikely that it will be a target of an attack in the future. 

In August 2022, Plex reported that there had been a data breach that could adversely affect over 15 million customers. In this breach, usernames, emails, and passwords were stolen, resulting in the loss of personal information. 

The implications of this are that unpatched Plex Media Server instances are still vulnerable to CVE-2020-5741 attacks and could be exploited by malicious individuals. 

Although the CISA team added the vulnerability to the KEV list without providing any information about its potential in-the-wild exploitation, media reports recently suggested that a Plex bug exploited to hack a DevOps engineer's computer may have been responsible for the data breach at LastPass last year that led to the theft of user vault data.
Read more »
Security Incident
Cyber Security Disclosure LastPass Safety Security Security Incident

LastPass Releases New Security Incident Disclosure and Recommendations

 

LastPass was compromised twice last year by the same actor, once in late August 2022 and again on November 30, 2022. On Wednesday, the global password manager company released a report with new findings from its security incident investigation as well as recommended actions for affected users and businesses. As per LastPass, the hacker first gained access to a software engineer's corporate laptop in August. 

The first attack was critical because the hacker was able to use information stolen by the threat actor during the initial security incident. The bad actor then launched the second coordinated attack by exploiting a vulnerability in a third-party media software package. The second attack targeted the home computer of a DevOps engineer.

“The threat actor was able to capture the employee’s master password as it was entered after the employee authenticated with MFA and gained access to the DevOps engineer’s LastPass corporate vault,” detailed the company´s recent security incident report.

LastPass has validated that the attacker gained access to the company's data vault, cloud-based backup storage containing configuration data, API secrets, third-party integration secrets, customer metadata, and all customer vault data backups during the second incident. The LastPass vault also includes access to the shared cloud-storage environment, which houses the encryption keys for customer vault backups stored in Amazon S3 buckets, which users utilize to store data in their Amazon Web Services cloud environment.

The second attack was laser-focused and carefully planned, as it targeted one of only four LastPass employees with access to the corporate vault. After decrypting the vault, the hacker exported the entries, including the decryption keys required to access the AWS S3 LastPass production backups, other cloud-based storage resources, and related data.

In two security bulletins, LastPass issued instructions to affected users and businesses. The following are the key points from those bulletins. The Security Bulletin: Recommended actions for LastPass free, premium, and families include best practices for master passwords, guidebooks to creating strong passwords, and allowing extra layers of security such as multifactor authentication. Users were also urged to change their passwords.

LastPass master passwords should be between 16 and 20 characters long, include a minimum of one upper and lower case, numeric, symbol, and special character, and be unique — that is, not used on another site. Users can reset LastPass master passwords by following the official LastPass guide.

LastPass also requested that users use the Security Dashboard to check the security score of their current password strength, enable and test the dark web monitoring feature, and enable default MFA. Users are notified when their email addresses appear in dark web forums and sites. To assist businesses that use LastPass, the Security Bulletin: Recommended Actions for LastPass Business Administrators was created exclusively after the event. The more comprehensive guide contains ten points:
  • Master password length and complexity.
  • The iteration counts for master passwords.
  • Super admin best practices.
  • MFA shared secrets.
  • SIEM Splunk integration.
  • Exposure due to unencrypted data.
  • Deprecation of Password apps (Push Sites to Users).
  • Reset SCIM,, Enterprise API, and SAML keys.
  • Federated customer considerations.
  • Additional considerations.
Superb administration LastPass users have access to more features than the average administrator. Following the attacks, the company issued special recommendations for super admin users due to their extensive powers. The following are LastPass super admin recommendations. LastPass users have access to more features than the average administrator. Following the attacks, the company issued special recommendations for super admin users due to their extensive powers. The following are LastPass super admin recommendations.
 
LastPass has stated that it is confident that it has taken the necessary steps to limit and eliminate future access to the service; however, according to Wired, the most recent disclosure of LastPass was so concerning that security professionals "started calling for users to switch to other services." LastPass' main competitors are 1Password and Dashlane.

Experts have also questioned LastPass's transparency, pointing out that it fails to date security incident statements and has yet to clarify when the second attack occurred or how long the hacker was inside the system; the amount of time a hacker spends inside a system has a significant impact on the amount of data and systems that can be exploited. (I contacted LastPass for a response but did not receive one.)

The consequences of these recent security incidents are clear to LastPass users. While the company convinces that there is no evidence that the compromised data is being sold or marketed on the dark web, business administrators are left to deal with LastPass' extensive recommendations.
A password-free future

Unfortunately, password manager hacking is not a new phenomenon. Since 2016, LastPass has had security incidents every year, and other top password managers such as Norton LifeLock, Passwordstate, Dashlane, Keeper, 1Password, and RoboForm have been either targeted, breached, or proven to be vulnerable, according to Best Reviews.

Password manager companies are increasingly being targeted by cybercriminals because they store sensitive data that can be used to access millions of accounts, including cloud accounts where business-critical systems and digital assets are hosted. Cybersecurity practices, transparency, breaches, and data exfiltration can all have an impact on the future of these password manager companies in this highly competitive landscape.

Read more »
Password
Cyber Security Cyberattack Data Safety LastPass Password

Password Changes are Required for LastPass Customers

 


Despite being one of the most popular password managers on the market, LastPass has suffered another major breach, putting the passwords of customers risk as well as their personal information.  

It was established just over a year ago that LastPass, a popular password manager that stores customers' passwords and other sensitive information in encrypted vaults, had been compromised by cybercriminals as a result of a data breach. 

Karim Toubba, the CEO of LastPass who announced the hack, explained that the attackers took a copy of a backup of the information stored in a customer's vault as part of their intrusion. A LastPass employee used stolen cloud storage keys to access the data, which enabled them to steal keys from the company. 

There are several different ways in which the cache of customer password vaults is kept. However, the specific technical and security details of this proprietary format were not disclosed. The data is stored in both an unencrypted and encrypted format.   

It has been discovered that some of the web addresses that are stored in the vault, in the data that was not encrypted, are unencrypted. At this point, it is not known exactly when on the calendar the backups were stolen.
 
As a result of an unauthorized party gaining access to the LastPass subscriber account, it was discovered that unencrypted personal data from subscribers' accounts including LastPass user names, company names, billing addresses, email addresses, and phone numbers, as wetland l as IP addresses had been accessed by the unauthorized party. As far as Toubba is concerned, this is certainly the case. As a result of this same unauthorized party gaining access to the vault data of customers, a copy of that data was also stolen. The data stored in the vault by customers is both encrypted and unencrypted. This includes URLs of websites and usernames and passwords for all of the sites that are stored in the vault by customers. 

Password vaults on LastPass are encrypted and can be accessed only with the customer's master password. It is worth mentioning that the company has warned that the cybercriminals who are the culprits of this intrusion may try to decrypt the copies that they took of the vault data by using brute force to guess your master password. 

Besides the names, email addresses, phone numbers, and some billing information of more than 300,000 of Toubba's customers, the cybercriminals took vast amounts of information from their accounts as well. 

For storing your passwords, password managers are overwhelmingly a smart idea as they enable you to create long, complex, and unique passwords for each website or service you are using. If you do not already do so, you should. However, security incidents like this remind us that not all password managers are created equal. This may mean that different ways can be used to attack, or compromise, password managers. It is very significant to take into consideration that everyone's threat model differs, so no one's requirements will be the same as someone else's. 

There are some rare circumstances (not typos) like this in which a bad actor may be able to access encrypted password vaults of customers, and if he or she does, then “all they need is the master password” of the victim if the bad actor gets access to those vaults. It is only as strong as the encryption used to scramble a password vault that has been exposed or compromised. 

As a LastPass user, the most helpful thing you can do for yourself is to update your current master password from the one you currently have to one that is written down, preferably in a safe place and unique from the old password (or passphrase). As a result, you can rest assured that your current LastPass vault is protected. 

You must begin changing all of the passwords stored in your LastPass vault as soon as you suspect your LastPass vault might be compromised - for instance, if your master password is weak or if you have used it elsewhere - such as your master password is weak. Identify the most critical accounts first, such as your email account, your mobile phone account, your bank account, and your social media account. These are the ones that you use most frequently. Start at the top of the priority list and work your way down from there. 

There is a possibility that if you are a subscriber to LastPass, you may want to look for another password manager in light of the severity of this breach. There is a serious risk of exposing your passwords and personal information if your computer is hacked by an unauthorized person.   

Is there anything LastPass customers should do?

If you are a LastPass subscriber, here's what you need to do right now to make sure that you have the latest version: 

1. Look for a new password manager to keep track of your passwords

The severity of the latest breach and the history of security incidents with LastPass bring more reasons than ever to consider a different alternative, especially when you consider the company's history of security incidents. 

2. The most important password on your site should be changed immediately

Several passwords are frequently forgotten, such as those used for online banking, financial records, internal company logins, as well as medical records.

CNET asked LastPass to answer additional questions it had regarding the breach. However, the company failed to respond to the questions, and the company would not clarify how many users were affected by the breach. However, if you are a LastPass subscriber, you have to live with the fact that nobody knows who has access to your user and vault data. You are putting your trust in that party. 

Read more »
User Privacy
Cloud Security Data Breach LastPass MFA User Privacy

Source Code & Private Data Stolen From GoTo

GoTo, the parent company of LastPass, has disclosed that hackers recently broke into its systems and seized encrypted backups belonging to users. It claimed that in addition to LastPass user data, hackers managed to obtain data from its other enterprise products.

A data breach including the theft of source code and confidential technical information was announced by GoTo affiliate LastPass in August of last year. GoTo acknowledged being impacted by the attack in November, which was connected to an unidentified third-party cloud security vendor.

Paddy Srinivasan, chief executive of GoTo, revealed that the security breach was more severe than initially suspected and involved the loss of account usernames, salted and hashed passwords, a piece of the Multi-Factor Authentication (MFA) settings, along with some product settings and license data.

Despite the delay, GoTo did not offer any restoration assistance or guidance for the impacted consumers. According to GoTo, the company does not keep track of its client's credit card or bank information or compile personal data like dates of birth, addresses, or Social Security numbers. Contrast that with the incident that affected its subsidiary, LastPass, in which hackers grabbed the contents of users' encrypted password vaults along with their names, email addresses, phone numbers, and payment information.

LastPass' response to the leak was ripped apart by cybersecurity experts, who charged the firm with being opaque about the gravity of the situation and failing to stop the hack. To provide more reliable authentication and login-based security solutions, GoTo is also transferring its accounts onto an improved Identity Management Platform.

The number of impacted consumers was not disclosed by GoTo. Jen Mathews, director of public relations at GoTo, claimed that the company has 800,000 clients, including businesses, but she declined to address other queries.
Read more »
Okta
CircleCI Cyber Security Cyberattacks developer services DevOps GitHub LastPass Okta

LastPass, Okta, and Slack: Threat Actors Switch to Targeting Core Enterprise Tools


In the beginning of year 2023, CircleCI, a development-pipeline service provider cautioned online users of a security breach, advising companies to take immediate action on the issue by changing the passwords, SSH keys, and other secrets stored on or managed by the platform. 

The security attack on the DevOps services left the organization scrambling in order to assess the extent of the breach, restrict attackers' access to alter software projects and identify which development secrets had been compromised. The company updated configuration settings, rotated authentication tokens, worked with other providers to expire keys, and investigated the situation. 

The company states in an advisory last week, "At this point, we are confident that there are no unauthorized actors active in our systems; however, out of an abundance of caution, we want to ensure that all customers take certain preventative measures to protect your data as well." 

In the past year, identity services like Okta and LastPass have acknowledged system vulnerabilities, and developer-focused services like Slack and GitHub have reacted quickly to successful attacks on their infrastructure and source code. 

According to Lori MacVittie, a renowned engineer and evangelist at cloud security firm F5, the series of attacks on fundamental enterprise tools reflects the fact that organization should anticipate these types of providers turning into frequent targets in the future. 

"As we rely more on services and software to automate everything from the development build to testing to deployment, these services become an attractive attack surface […] We don't think of them as applications that attackers will focus on, but they are," she says. 

Identity & Developer Services Vulnerable to Cyberattacks 

Lately, threat actors have targeted two major categories of services, i.e. identity and access management systems, and developer and application infrastructure. Both of the given services support the critical components of enterprise infrastructure. 

According to Ben Smith, CTO at NetWitness, a detection and response firm, identity is the glue that supports the organizations’ interface in every way, along with connecting the companies to their partners and customers. 

"It doesn't matter what product, what platform, you are leveraging, adversaries have recognized that the only thing better than an organization that specializes in authentication is an organization that specializes on authentication for other customers," says Smith. 

Meanwhile, developer services and tools have developed into yet another frequently attacked enterprise service. For example, a threat actor accessed the Rockstar Games creators' Slack channel in September and downloaded videos, pictures, and game codes from the upcoming Grand Theft Auto 6 Title. In regards to this, Slack says "a limited number of Slack employee tokens were stolen and misused to gain access to our externally hosted GitHub repository." 

Since identity and developer services enable access to a wide range of corporate assets, from application services to operations to source code, compromising these services can be a ‘skeleton key' to the rest of the company, adds Smith. "They are very very attractive targets, which represent low-hanging fruit […] These are classic supply chain attacks — a plumbing attack because the plumbing is not something that is visible on a daily basis."

Protect Yourselves by Managing Secrets Wisely, Establish Playbooks 

In order to administer cyber-defense, one of the tactics suggested by Ben Lincoln, managing senior consultant at Bishop Fox, is to organize a comprehensive management of secrets. Companies should be able to “push the button” and rotate all necessary passwords, keys, and sensitive configurations. 

"You need to limit exposure, but if there is a breach, you hopefully have a push button to rotate all those credentials immediately," Smith further says. "Companies should plan extensively in advance and have a process ready to go if the worst thing happens." 

Organizations can also deceive intruders using traps. Security teams can receive a high-fidelity warning that attackers might be on their network or using a service by employing various honeypot-like tactics. Credential canaries—fake accounts and credentials—help identify when threat actors have access to critical assets. However, in all other ways, the companies must prioritize the need to apply zero-trust principles in order to minimize the attack surface area of — not just machines, software, and services but also operations, according to MacVittie.  

Read more »
Password
Cyber Attacks Data Leak LastPass Password

LastPass Data Leak: Data of 30 Million Users at Risk


What is LastPass Breach?

On 22nd December 2022, online password management service LastPass revealed that threat actors can steal sensitive information from user accounts like billing, end-user names, email IDs, IP address info, and telephone numbers. 

The leak also includes customer vault data, which consists of both unencrypted data like website URLs and encrypted data like website usernames and passwords, form-filled data, and secure notes. An earlier hack of customer data in August 2022 led to this more severe data breach. 

Risks for LastPass Users

The data of all 30 million LastPass users stored on the company servers as of August 2022 is at risk. Hackers possess a copy of your entire pad vault. In case a hacker manages to crack your master password, they can take full control of your online life. It means full access to your bank accounts, emails, tax information, healthcare data, social media accounts, and much more. 

As per LastPass, hackers may try using brute force for finding out your master password and decode the copies of vault data they have stolen. But, LastPass says it is highly unlikely- to brute force and guess master passwords can take up to a million years if a user has strong secured passwords. But do users really have safe passwords?

Experts doubts claims by LastPass

Experts have raised doubts about LastPass' recent updates. “The statement is full of omissions, half-truths, and outright lies," says Wladimir Palant, security researcher and creator of AdBlock Plus. "The hack a far more grave threat than reported – both to individual users as well as companies that employ LastPass for corporate password management," said senior security researcher John Scott Railton.

Jeremi Gosney, a senior information security engineer at Yahoo has also been very critical of the response received from LastPass, and the company's approach to security. He said "in the last 10 years. I don't know what the threshold of "number of major breaches users should tolerate before they lose all faith in the service" is, but surely it's less than 7." 

Another password service competitor 1Password doubts the "millions of years" claim made by LastPass, the former believes that the claim lies on the assumption 12 character passwords of LastPass users are generated via an entirely random process. However, in today's age, threat actors can crack your passwords in just 30 minutes if they happen to have the latest tools and technology. 

Lessons learned from LastPass- How to protect your online life?

  • If you're a LastPass user, it is highly likely that your online data is at risk. The following steps can however help users maintain internet security:
  • Update passwords of important accounts immediately.
  • Prioritize banking, email accounts, secure document storage, and other things as suggested by TechCrunch. 
  • Consider changing your password manager. You can go for other services like Bitwarden, Dashlane, and 1Password, these companies offer similar features and have a history of better track records in protecting user data.
  • Choose a strong master password while creating an account, make sure it's new. An ideal password should be 12-16 random characters. 
  • Create an account on the hacking alert website Have I Been Pwned? which will send you updates in case your account has been breached. 






Read more »
Privacy
1Password Manager Cyber Security Incidents LastPass Mandiant Threat Intelligence Password Privacy

LastPass Hacked, Customer Data and Vaults Secure

The password manager, LastPass recently unveiled that the attackers who breached its security in August 2020 also had access to its network for four days. 
 
As per the latest statements by LastPass, the company suffered from the interference of cyber attackers for four days in august 2022. Luckily, the company was able to detect and remove malicious actors during this period. 

With regards to the investigation updates concerning the security breach, the CEO of LastPass, Karim Toubba published a notice, stating, “We have completed the investigation and forensics process in partnership with Mandiant.” 
 
Furtermore, the company also stated, “There is no evidence of any threat actor activity beyond the established timeline. We can also confirm that there is no evidence that this incident involved any access to customer data or encrypted password vaults.” 
 
During the investigation, the company found that the malicious actors got access to the development environment by compromising a developer’s endpoint. After the developer completed its multi-factor authentication, the cyber attackers used their persistent access in imitating the developer and entered the development environment. 
 
However, the company commented that the system design and controls of the developer environment prevented threat actors from meddling with customer data or coded password vaults. 
 
The security measures of LastPass include a master password, which is required to access the vaults and decrypt the data. However, LastPass does not store that master password, which invalidates any other attempt of accessing other than by the user himself. In essence, LastPass does not have access to its users' master passwords. 

In an analysis of source code and production, it was found that as LastPass does not allow any developer from the development environment to push source code into a production environment without a fixed process, the threat actors were also unable to inject any code-poisoning or malicious code. 
 
In order to extend support to LastPass’s customers, Toubab further assured in the notice that they "have deployed enhanced security controls including additional endpoint security controls and monitoring.” The company has worked jointly with Mandiant, an American cybersecurity firm and a subsidiary of Google – to conclude that no sensitive data has been compromised. 

In 2015, the company witnessed a security incident that impacted email addresses, authentication hashes, and password reminders along with other data. Today, LastPass has approximately 33 million customers, thus a similar security breach would have a more jarring impact and hence is a matter of utmost concern. LastPass persuaded customers that their private data and passwords are safe with them as there was no evidence suggesting that any customer data was compromised. 


Read more »
Password Stolen
Data Breach data security LastPass Password Stolen

LastPass Developer Account Compromised, Data Stolen


LastPass Compromised, Data Stolen

LastPass, a password management firm was hacked two weeks ago, allowing hackers to steal the company's and proprietary technical data. 

The incident surfaced after Bleeping Computer came to know about the breach from insiders and contacted the company last week. According to experts, the employees faced difficulties to contain the breach after LastPass was compromised. 

LastPass issued a security advisory accepting the company was compromised through a breached developer account that attackers use to gain access to the company's developer environment. 

Company launches investigation 

According to LastPass, there is no evidence that encrypted password vaults or customer data were compromised, but the attackers did steal "proprietary LastPass technical data" and chunks of their source code. 

Responding to the incident, the company has deployed containment and mitigation measures and hired a leading cybersecurity agency to look into the issue. 

The investigation is in process, LastPass said the containment state has been achieved, it has applied advanced security measures, and hasn't noticed any further evidence of malicious activity. 

The company didn't disclose any further details related to the attack, like how the attackers breached the developer account and what source code was stolen. 

About LastPass 

LastPass is one of the largest password management companies in the world, it has more than 33 million users and 100,000 businesses. 

As businesses and customers use the company's software to keep their passwords safely, there are also worries that if the company was compromised, it could let attackers get access to stored passwords. 

But we should note that LastPass stores passwords in 'encrypted vaults' that can only be decoded via a customer's master password, which, according to the company, was not compromised. 

Company was targeted second time

In 2021, LastPass was bit by a credential stuffing attack that enabled attackers to cross-check a user's master password. Besides this, it was also disclosed that threat actors stole LastPass master passwords and distributed the Redline password-stealing malware.

Because of this, you should always use two-factor authentication for your LastPass accounts so that the threat actors can't access your account even after it has been compromised. 

"Based on what we have learned and implemented, we are evaluating further mitigation techniques to strengthen our environment. We have included a brief FAQ below of what we anticipate will be the most pressing initial questions and concerns from you. We will continue to update you with the transparency you deserve," said LastPass.

CySecurity will update its readers about further updates. 





Read more »
Subscribe to: Posts (Atom)