The entire saga has been a complete disaster from LastPass’ perspective and, faced with an attacker with razor-sharp dedication, there was very little room for error in the first place. The most jarring aspect of this second incident is that LastPass said both alerting and logging were enabled but didn’t “immediately indicate the anomalous behaviour” because investigators couldn’t differentiate between the threat actor and legitimate activity. “The data accessed from those backups included system configuration data, API secrets, third-party integration secrets, and encrypted and unencrypted LastPass customer data,” another blog post reads. These contained “encrypted secure notes with access and decryption keys needed to access the AWS S3 LastPass production backups, other cloud-based storage resources, and some related critical data backups (opens in new tab)”. It’s from here the house of cards began to crumble.Īccording to LastPass, the threat actor exported native corporate vault entries and content of shared folders.
They therein installed a keylogger tracking the engineers’ activity, gaining access to their master password and bypassing LastPass’ authentication processes. The threat actor reportedly exploited vulnerabilities in a third-party media software platform, Plex, to broker access. After nearly three years of remote and hybrid working, one would expect a company in the business of information security (opens in new tab) would have mitigated such remote working security risks (opens in new tab). To make matters worse, this engineer was just one of four individuals with access to critical decryption keys. This is before learning later that stolen information was used to wage a second attack.ĭisclosed in December, the second incident (opens in new tab) saw hackers gain access to LastPass’ corporate systems after targeting and successfully compromising a senior LastPass DevOps engineer’s (opens in new tab) home PC. But to its detriment, the company then declared this incident closed. LastPass said “no customer data or vault data was taken” (opens in new tab) during that incident.
0 kommentar(er)
