LastPass, the password manager behemoth, has suffered yet another data security breach, this time exposing user information.
According to LastPass CEO Karim Toubba’s blog post, hackers gained access to “certain elements” of “customers’ information” by accessing a third-party cloud storage service used by the password manager. Although the third-party cloud provider wasn’t identified, an Amazon Web Services blog post from 2020 mentioned the company’s migration of a billion customer records to Amazon’s cloud.
In August, LastPass discovered that an employee’s work account had been used to gain unauthorised access to the company’s development environment, which houses some of LastPass’ source code. Karim Toubba, CEO of LastPass, stated that the malicious activities had been contained and that the company did not need to take any further action.
The second incident took place at the end of November, and it allowed the hacker access to client data. LastPass confirmed the second compromise’s connection to the first. Since the company shares its third-party cloud storage with its parent company, GoTo, which also owns LogMeIn and GoToMyPC, LastPass wasn’t the only one to be harmed in the most recent attack.
Table of Contents
A Malicious Hacker Is Probably Behind The Security Breach
LastPass’ blog post from August left open the possibility that the “unauthorised party” was not acting in bad faith.
It is possible to gain unauthorised access to a system (and thus violate the law) while still acting in good faith if the end goal is to report the problem to the company and have it fixed.
If the company (or the government) is unhappy with the intrusion, it may not absolve you of a hacking charge. However, when it is clear that a good-faith hacker or security researcher is working to fix a security issue rather than cause one, common sense often prevails.
Even though the hacker’s — or hackers’ — intended goal is unknown at this time, it is generally reasonable to conclude that they are malevolent actors at work.
According to a blog post by LastPass, a third time LastPass was compromised using data stolen in the August attack. It is not specified by LastPass what this data is. It might refer to credentials or access keys that the unauthorised party gained during their raid on LastPass’ development environment in August but that LastPass never revoked.
What Kind Of Customer Information Might Have Been Jeopardised?
Another critical aspect of the problem that LastPass has not disclosed is the precise data compromised in the security breach. The company has only stated that “certain elements” of customer data were accessed, which could include anything from personal information provided to LastPass by registering customers to sensitive billing information and encrypted password vaults.
Due to the way the firm created its zero knowledge architecture, LastPass is convinced that its users’ passwords are secure. A security approach known as “zero knowledge” enables businesses to retain encrypted client data that only the customer may access. In this instance, LastPass maintains each customer’s password vault in its cloud storage, but neither LastPass nor any other party has access to the master password that unlocks the information.
If customers’ encrypted password vaults are kept in the same shared cloud storage that was compromised, it’s unclear from the blog post’s phrasing on LastPass. LastPass only guarantees that customer credentials “remain safely encrypted,” which may still be the case even if an unauthorised person gained access to or stole customer passwords from encrypted vaults because the customer’s master password is still required to unlock their passwords.
If customers’ encrypted password vaults end up being compromised or later exfiltrated, that would eliminate a major barrier to accessing a person’s credentials because all they would need is the victim’s master password. A password vault that has been compromised or disclosed is only as secure as the encryption that was used to encrypt it.
How Many Customers Are Affected?
It is reasonable to presume that the hacker had significant, if not unrestricted access to whatever client data was stored if they gained access to a shared cloud storage account that contained customer data.
The best-case scenario is that LastPass separated or segmented customer data in order to avoid events like catastrophic data theft.
According to LastPass, the development environment that was first security breached in August does not keep client information. Additionally, according to LastPass, the development and production environments are physically separated. The word “production environment” refers to servers that are actively handling and processing user data.
According to that reasoning, even though LastPass stated in its original August post-mortem that there was “no indication” of unauthorised access to its production environment, it appears that the intruder may have gotten access to the company’s cloud computing environment. Again, that’s why we inquire about the logs.
In the worst case scenario, LastPass has around 33 million users. At the time of its most recent profits in June, GoTo had 66 million users.
Did GoTo hide its data security breach notice?
Password vaults are only as secure as the master password, therefore by disclosing them, the hackers may have removed a significant barrier to accessing a person’s credentials.
It is logical to presume that the hacker had extensive, possibly even uncontrolled access to the client data stored in the compromised cloud storage. Only by compartmentalising and segmenting its client data could LastPass create an environment free of widespread data theft.
According to LastPass, its development environment, which was first infiltrated in August, does not save user data. Additionally, according to the business, its production environment and development environment, which are terms for servers that actively process and manage user information, are physically separate.
The intrusion may have occurred even though LastPass said there was “no evidence” of unauthorised access to its production environment in August. It’s important to note that while GoTo, LastPass’ parent business, has 66 million clients, LastPass only has roughly 33 million.
The statement from LastPass’ parent company GoTo was even more vague than the blog post it was linked to. The reason you wouldn’t immediately see GoTo’s statement if you looked for it was more perplexing. This is due to the fact that GoTo put “noindex” code on the blog post to instruct search engine crawlers like Google to skip it and not catalogue the page as part of its search results, making sure that no one could see it unless you knew its precise web address.