![]() ![]() LastPass does not say what this information is. LastPass’ blog post says the unauthorized party used information obtained □️ during the August breach to compromise LastPass a second time. But common sense often prevails when it’s clear that a good-faith hacker or security researcher is working to fix a security issue, not cause one.Īt this point it’s fairly safe to assume that the unauthorized party □️ behind the breach is a malicious actor at work, even if the motive of the hacker - or hackers - is not yet known. It might not let you off a hacking charge if the company (or the government) isn’t happy with the intrusion. It is both possible to gain unauthorized access to a system (and break the law in the process), and still act in good faith if the end goal is to report the issue to the company and get it fixed. ![]() The wording of LastPass’ blog post in August left open the possibility that the “unauthorized party” may not have been acting in bad faith. When companies say that they have “no evidence” of access or compromise, it may be that it lacks the technical means, such as logging, to know what was going on.Ī malicious actor is probably behind the breach It’s a question that we ask companies a lot, and LastPass is no different. LastPass will be in a far better position to investigate if it has logs it can comb through, which can help incident responders learn what data was accessed and if anything was exfiltrated. Some move to announce security incidents quickly, especially in jurisdictions that obligate prompt public disclosures, even if the company has little or nothing yet to share about what has actually happened. It’s a tough position for a company to be in. In other words, at the time of its blog post, LastPass doesn’t yet know what customer data was accessed, or if data was exfiltrated from its cloud storage. In its blog post, LastPass said it was “working diligently” to understand what specific information □️ was accessed by the unauthorized party. LastPass doesn’t yet know what was accessed, or if data was taken ![]() If the cloud storage account shared by both LastPass and GoTo was compromised, it may well be that the unauthorized party obtained keys that allowed broad, if not unfettered, access to the company’s cloud data, encrypted or otherwise. That’s why it’s important to ensure proper access controls and to segment customer data, so that if a set of access keys or credentials are stolen, they cannot be used to access a company’s entire trove of customer data. It’s not uncommon for companies to store their data - even from different products - on the same cloud storage service. ![]() Neither company named the third-party cloud storage service, but it’s likely to be Amazon Web Services, the cloud computing arm of Amazon, given that an Amazon blog post from 2020 described how GoTo, known as LogMeIn at the time, migrated more than a billion records from Oracle’s cloud to AWS. LastPass and GoTo share their cloud storageĪ key part of why both LastPass and GoTo are notifying their respective customers is because the two companies share the same cloud storage □️. What LastPass said in its data breach notice With that, TechCrunch has marked up and annotated LastPass’ data breach notice □️ with our analysis of what it means and what LastPass has left out - just as we did with Samsung’s still-yet-unresolved breach earlier this year. Over the years, TechCrunch has reported on countless data breaches and what to look for when companies disclose security incidents. GoTo spokesperson Nikolett Bacso-Albaum declined to comment. In a brief blog post, Toubba said information obtained in the August incident was used to access a third-party cloud storage service that LastPass uses to store customer data, as well as customer data for its parent company GoTo, which also owns LogMeIn and GoToMyPC.īut since then, we’ve heard nothing new from LastPass or GoTo, whose CEO Paddy Srinivasan posted an even vaguer statement saying only that it was investigating the incident, but neglected to specify if its customers were also affected. The intruder had gained access to customer information. This time around, LastPass wasn’t as lucky. LastPass CEO Karim Toubba said the hacker’s activity was limited and contained, and told customers that there was no action they needed to take.įast-forward to the end of November, and LastPass confirmed a second compromise that it said was related to its first. Two weeks ago, the password manager giant LastPass disclosed its systems were compromised for a second time this year.īack in August, LastPass found that an employee’s work account was compromised to gain unauthorized access to the company’s development environment, which stores some of LastPass’ source code. ![]()
0 Comments
Leave a Reply. |