As reported Wednesday on its blog, LastPass recently detected unusual activity within a third-party cloud storage service. Now the company has experienced a second related hack, this time impacting customers. At the time, LastPass said that while part of its source code and proprietary technical info were taken, customers were unaffected. Back in August, the popular password manager suffered a security breach, in which the company’s developer environment was infiltrated. The original story from Dec 1, which covers more background details of the leak, follows below. You can also choose to switch providers-our round-up of the best password managers has suggestions beyond LastPass that you can try. If you’re a LastPass customer, your best protection is to use a strong random password that’s never been used elsewhere. You can read more about the information lost in the company’s blog post, as well as its full explanation of what’s happened so far and the steps the company is taking next. Also leaked was customer vault data, which includes unencrypted data such as website URLs and encrypted data such as website usernames and passwords, secure notes, and form-filled data. That said, if you have enabled 2-factor authentication for the accounts that you have stored in the cloud-based password manager, you should be relatively safe from attacks.Update: On December 22, LastPass published a new blog post with further information about leaked customer information, saying that account information such as billing addresses, email addresses, end-user names, telephone numbers, and IP address info were obtained. You can't blame them for that, though one could argue that any website and service is open to attacks, it is the strength and quality of the security protocols that they use that actually matters. Security incidents like these are the reason why some people prefer to use offline password managers like KeePass, because the only person who has access to your vault is you. He also reassured LastPass users that they are monitoring the situation to detect and prevent further malicious activity by the hackers. ![]() Meanwhile, Toubba has confirmed that the company's services are fully functional. We can expect another update from the company that explains more about the hack, and how it affects users. It is still investigating the scope of the incident to determine what user data was accessed. LastPass has not disclosed further details about the breach. I'd still advise users to keep an eye on their mail inbox to check if any unauthorized login attempts have been made, it's the logical thing to do. If that is the case, and I'm purely speculating here, if the passwords are safe, what else could the hackers have stolen? The only other data that LastPass could have has got to be related to customer's personal information which is related to their subscription details, e.g. Since LastPass itself does not have access to the encryption key, this likely means that the contents of the password vault are safe. The service does not store its decryption keys on its servers, these are saved on the end user's device, the vault is end-to-end encrypted. the technology that it employs to encrypt user data. But the company says that the hackers did not steal the passwords of its users, because of LastPass' Zero Knowledge, i.e. This time, however, LastPass mentions that the threat actors exploited the information from the previous hack to gain access to some elements of LastPass' customer data. But the forensic report published by the password manager service had claimed that no user data had been stolen during that attack. ![]() To recall the incident, hackers had gained access to LastPass' development environment for 4 days. Its investigation has led the company to believe that the new security incident is directly related to the August 2022 data breach. The company also began an investigation of its own, again in partnership with a security firm called Mandiant to discover the origin of the attack, and trace its scope. Once it noticed the security breach, LastPass alerted law enforcement about it. ![]() This storage server is shared between LastPass and GoTo (formerly known as LogMeIn). The article says that LastPass recently detected some unusual activity within a third-party cloud storage service that it uses. Karim Toubba, the CEO of LastPass has published a notice on the company's blog to inform users about the security incident.
0 Comments
Leave a Reply. |
Details
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |