Right at the end of November 2022, however, LastPass further admitted that there was a bit more to the story than perhaps they’d hoped.Īccording to a security bulletin dated, the company was recently breached again by attackers “using information obtained in the August 2022 incident”, and this time customer data was stolen. In other words, even if password vault data had been stolen, it would have been unintelligible anyway. Therefore, any passwords stored into the cloud are encrypted before they’re uploaded, and only decrypted again after they’ve been downloaded. The master password used to unscramble your saved passwords is only ever requested and used in memory on your own devices. The company did admit, however, that the crooks had made off with LastPass proprietary information, notably including “some of our source code and technical information”, and that the crooks were in the network for four days before they were spotted and kicked out.Īccording to LastPass, customer passwords backed up on the company’s servers never exist in decrypted form in the cloud. LastPass insisted that the developer’s account hadn’t given the criminals access to any customer data, or indeed to anyone’s encrypted password vaults. With a beachhead on that computer, it seems that the attackers were then able to wait until the developer had gone through LastPass’s authentication process, including presenting any necessary multi-factor authentication credentials, and then “tailgate” them into the company’s development systems. LastPass source code breach – incident response report releasedīriefly put, LastPass concluded that the attackers managed to implant malware on a developer’s computer.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |