According to the business, another security breach directly related to the one that happened in August has affected password manager LastPass.
According to a blog post by LastPass CEO Karim Toubba, “An unauthorized entity was able to acquire access to some pieces of our client’s information using information gained in the August 2022 event.”
With the help of LastPass, users can safely create and remember passwords across many devices, save digital documents, and share all with trusted contacts. The goal of LastPass’ zero knowledge strategy is to prevent LastPass from having access to a customer’s master password.
According to Toubba, all of the organization’s employees are up and running. According to the business, LastPass is collaborating with an independent security firm to investigate the breadth of the incident and precisely what data was obtained.
A cloud storage provider used by LastPass subsidiary GoTo was affected by the incident, which it revealed on Wednesday.
Best Password Manager to Use for 2022
Selecting a new password might be difficult. Deciding what to choose might be difficult. Should you pick a name for your pet? Which high school teacher was your favorite? Whenever it comes to passwords, you cannot be negligent. Because you want your data to be safe and your personal information protected, using weak passwords like your name or basic number sequences is dangerous.
It could be simpler to memorize and use, but it’s risky. You must be vigilant in protecting your accounts since the individuals attempting to steal your information are experts at cracking passwords. A password manager can help with that.
LastPass Review: A Leading Password Manager With a Changing Value Proposition
Andrew Carnegie frequently gets privacy technologies completely wrong. But when it comes to password managers, Carnegie is typically more incorrect than dead. We entrust every login key into a single digital basket, a well-chosen password manager, which is where the majority of our digital privacy and security depend.
For example, I’ve always used LastPass security Breach for so long that I can’t remember when I first started. But now that LastPass’ once-immortal free service has been restricted and web trackers have been found in the program, I’m definitely making the transfer.
But because I’m a brand loyalist, I won’t connect around like my millennial peers. I’ve tried quite a few other password organizers, and I’m eager to learn more about them now that I have a large stack of crypto lit at my home office. Up until recently, LastPass outlasted all of them. Although I’m personally switching to Bitwarden, which is still free across all platforms and has a solid open-source base, I continue to recommend LastPass to many non-techies because of its general usability.
You might want to think about using a password manager unless you intend to continually protect a hard copy of all the passwords. It can assist you in maintaining strong password security while easily managing all of your login details for every online account. Additionally, they come in useful for automatically filling out forms and synchronizing your data between Windows and Mac computers, iPhones, iPads, Android phones, and other devices.
Given the vast amount of passwords it protects globally, Lastpass remains a big target. The company has admitted the threat actor gained access using information obtained in the previous compromise. Exactly what this information is remains unclear but, typically, it’s best practice after suffering a breach for the organisation to generate new access keys and replace other compromised credentials. This ensures things like cloud storage and backup access keys cannot be reused. For worried users, ensure you watch out for updates from the company and take time to verify these are legitimate before taking any action. In addition, ensuring you have two factor authentication on any applications with passwords in LastPass and changing passwords will provide the utmost level of security.
It appears LastPass may still have lessons to learn after their breach in August. Previously, they were clear about LastPass developers not having access to production systems, which was a positive, given that developers often have a lot of access so, it’s critical that developer credentials are protected just like any systems administrator.
However, in the latest breach, it seems information from the previous attack was used to gain access to some customer information. It shows that even though an attack seems to have been contained and measures put in place to stop it happening again, it’s still a case of “closing the stable door after the horse has bolted” so it should be assumed that data and credentials have been exfiltrated and available on dark web marketplaces.
If the root cause is indeed confirmed to be a compromised development system, then this latest episode is a continuation of an attack vector we have seen with the high profile ‘Sun Burst’ attack which targeted SolarWinds and several others.
Most organisations know very well the type of controls that they should have in place to protect production systems, yet many overlook such protections for software development environments – including toolchains such as build servers, source code repositories, and test instances – perhaps because these are not viewed as important as customer facing production services or are excluded from the scope of compliance with various existing standards because development environments themselves do not process customer data directly. However, once compromised, access to a development or test system can give away the ‘keys to the kingdom’ which allow an attacker lateral movement towards critical sensitive information, or permit an attacker to interfere in the software build process to introduce backdoors which make their way into production. Protecting software development environments, again and again, is proven to be of absolute importance to prevent these scenarios.
When we talk about software supply chain attacks – protecting the internal software delivery process and infrastructure itself is a critical element of this for many organisations. Guidelines have recently been released such as SLSA, NIST 800-161, and others – which highlight how an organisation can implement effective controls throughout the lifecycle – but many of the key concepts are actually quite familiar to seasoned information security professionals, which is to adopt an adversarial mindset and implement appropriate controls to mitigate identified risks. Most organisations will already operate a secure development lifecycle, and so the topic of protecting the development environments themselves is a natural addition to the scope of that program if it is not already.
The ramifications of a successful breach of LastPass’s third-party cloud storage are serious. If customer data was stored there – which it appears it was – the company is potentially facing a situation in which personal data has been accessed by cybercriminals. This could be used to launch any number of different threats from social engineering attacks to classic phishing scams.
However, it’s important to note that LastPass does have a failsafe in place. LastPass’s Zero Knowledge architecture means that customers’ passwords are secured with virtually unbreakable encryption and this really limits the amount of damage a threat actor can do.
It’s concerning to hear that LastPass has experienced another security incident following a previous one that was made public back in August. The attack involved source code and technical information being taken from unauthorized access to a third-party storage service the company was using.
The new breach is more severe because customer information has been accessed, which wasn’t the case previously. The intruder has done this by leveraging data exposed in the previous incident to gain access to the LastPass IT environment. The company says that passwords remain safely encrypted and that it is working to better understand the scope of the incident and identify exactly what data has been taken. You can bet that the IT security team is working around the clock on this and their visibility of the network and the devices being connected to it will be severely tested. Most organizations don’t have full visibility, which can make it very difficult in the aftermath of a breach to analyze what damage has been done and where the attacker’s entry point was.
Password managers are a challenging but attractive target for a threat actor, as they can potentially unlock a treasure trove of access to accounts and sensitive customer data in an instant if they are breached. However, I believe that the benefits of using a secure password management solution often far outweigh the risks of a potential breach. When layered with the other security recommendations, it’s still one of the best solutions to prevent credential theft and associated attacks. We just have to hope that customer confidence has not been impacted too much by these recent attacks.
LastPass customers should continue to monitor the website and official communications for new guidance. If the breach expands, then users should consider evaluating their security posture. This could involve proactively rotating passwords or temporarily using another password manager. I would also encourage everyone to use multi-factor authentication for their password management solution, this extra layer of security can be vital when breaches occur.