Lastpass says hackers accessed customer data in new breach

piquiteco

Level 14
Thread author
Verified
Top Poster
Well-known
Oct 16, 2022
624
LastPass says unknown attackers breached its cloud storage using information stolen during a previous security incident from August 2022.

Lastpass says hackers accessed customer data in new breach

LastPass says unknown attackers breached its cloud storage using information stolen during a previous security incident from August 2022.

The company added that, once in, the threat actors also managed to access customer data stored in the compromised storage service.

"We recently detected unusual activity within a third-party cloud storage service, which is currently shared by both LastPass and its affiliate, GoTo," the company said.

"We have determined that an unauthorized party, using information obtained in the August 2022 incident, was able to gain access to certain elements of our customers' information."

Lastpass said it hired security firm Mandiant to investigate the incident and notified law enforcement of the attack.

It also noted that customers' passwords have not been compromised and "remain safely encrypted due to LastPass's Zero Knowledge architecture."
 

Freki123

Level 16
Verified
Top Poster
Aug 10, 2013
753
LastPass says unknown attackers breached its cloud storage using information stolen during a previous security incident from August 2022.
"We have determined that an unauthorized party, using information obtained in the August 2022 incident, was able to gain access to certain elements of our customers' information."

So for me it reads like the didn't bother to change passwords after the August incident. I mean if I can get in with information stolen in August something is "strange".
 

Razza

Level 4
Verified
Well-known
Aug 12, 2014
165
Lasspass must have poor security practises or just totally incompetent, a competent organisation after a security breach would change passwords and rotating ever API/access key, it's a total joke a cadential they managed to steal from August 2022 still is valid.

My workplace currently uses lastpass, I've heard rumours from people higher in the company IT department than me it's getting replaced hopefully soon than later, zero credibility at the moment .
 

plat

Level 29
Top Poster
Sep 13, 2018
1,793
He links directly to the LastPass blog. They are trying to be "transparent." It seems this is fallout from that earlier breach but LastPass claims customers' passwords remain "safe" due to proprietary encryption. But this whole thing is like chewing gum stuck to the sole of one's shoe, it seems.

If you're worried about your password/s, Mr. Hunt is hopefully on it. (y)

 

SearchLight

Level 13
Verified
Top Poster
Well-known
Jul 3, 2017
626
I bought LastPass Premium in October, and yesterday after getting an email 3 months later from LP about another breach in August, I deleted my account. Imo, you don't tell your customers three months after the fact but when it happens. It is like they were trying to hide it , and in the meantime one's vault could potentially become compromised. Of course, they stated that everyone's passwords were fully protected. I feel LP has lax security practices. Maybe they need to do an independent third party security audit in order to find their weaknesses, and plug the holes so as to restore faith in their product again. In the meantime, I will be looking elsewhere.
 

Dark Knight

Level 5
Verified
Well-known
Aug 17, 2013
228
I really do not understand how this company is still in business and how all it's users have just not walked away from it.
How many breaches does this company have to have before people wise up? Eventually there will be a breach that will be very costly, not to Lastpass but it's users
 

plat

Level 29
Top Poster
Sep 13, 2018
1,793
More fallout from the LastPass breach:


LastPass revealed today that attackers stole customer vault data after breaching its cloud storage earlier this year using information stolen during an August 2022 incident.

This follows a previous update issued last month when the company's CEO, Karim Toubba, only said that the threat actor gained access to "certain elements" of customer information.

Toubba added in a new update to the original statement that Lastpass' cloud storage was accessed using "cloud storage access key and dual storage container decryption keys" stolen from its developer environment.

Twitter
 

Azure

Level 28
Verified
Top Poster
Content Creator
Oct 23, 2014
1,714
More fallout from the LastPass breach:




Twitter

On one side, it sounds like if you have a strong master password users should be okay.

However, this would be very difficult and time-consuming if you've been following password best practices recommended by LastPass.
On the other side, however, if LastPass lets users set very simple passwords, then there might be a problem.
I haven’t used LastPass in quite some time so I don’t recall if they allow users to set password like abc123 as master passwords
 

piquiteco

Level 14
Thread author
Verified
Top Poster
Well-known
Oct 16, 2022
624
On the other side, however, if LastPass lets users set very simple passwords, then there might be a problem.
I haven’t used LastPass in quite some time so I don’t recall if they allow users to set password like abc123 as master passwords
LastPass does not allow users to set passwords like abc123 as master passwords. I just checked
1671769999161.png
The minimum requirements of the master password that LastPass accepts is pretty weak. Minimum requirements: At least 12 characters, At least 1 number, At least 1 lower case letter, At least 1 upper case letter. Where are the special characters? for example: !@#$%^&* :confused:
 

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top