The LastPass security breach that occurred back in August did allow attackers to access customer data, says the company. It had previously said that no customer data was compromised.
LastPass owner LogMeIn stresses that customer passwords have not been compromised, as the company uses end-to-end encryption so that only the subscriber has the decryption key …
Background
LastPass is a password manager competing with 1Password. With these, all your passwords are stored in encrypted form, and you can log in to any website by using only a single master password to unlock your vault. If your devices are safely in your possession and protected by their own security, you would typically leave your vault unlocked for the rest of each day, enabling seamless login to all your accounts.
The company confirmed a reported security breach back in August. An attacker gained access to the company’s development environment, and was able to access source code and other technical data. LogMeIn said at the time that there had been no access to either customer data, nor the production environment (which meant the attacker couldn’t push a compromised update to users). However, today’s report reveals that customer data was subsequently compromised.
(An earlier security alert turned out to have nothing to do with LastPass: It was an attacker using login credentials obtained elsewhere to attempt to access LastPass accounts. Since the whole point of using a password manager is to avoid using the same password on more than one service, this was unlikely to succeed.)
LastPass security breach worse than reported
LogMeIn has now said that while the initial attack didn’t allow access to customer data, information obtained during that attack was subsequently used to do so.
We recently detected unusual activity within a third-party cloud storage service, which is currently shared by both LastPass and its affiliate, GoTo. We immediately launched an investigation, engaged Mandiant, a leading security firm, and alerted law enforcement.
We have determined that an unauthorized party, using information obtained in the August 2022 incident, was able to gain access to certain elements of our customers’ information. Our customers’ passwords remain safely encrypted due to LastPass’s Zero Knowledge architecture.
The company’s CEO Karim Toubba says that it is still working to determine the scope of the attack, and to identify the specific customer data accessed. We would expect the company to notify affected customers once it has done so.
Company stresses security recommendations
The company has pointed users to its security recommendations for using LastPass. The most important of these is, of course, to ensure that you use a very strong, unique password as your Master Password. Anyone who was able to obtain this password would then have access to all of your logins.
9to5Mac’s Take
Any customer data breach is an embarrassment, but never more so than when it occurs with a password manager. We expect the company to be fully transparent during the course of its investigation, and at its conclusion. It should also directly contact all customers whose data was accessed to reveal exactly what information was compromised.
FTC: We use income earning auto affiliate links. More.
Comments