from the dysfunction-junction dept

Back in August, password storage app LastPass vaguely admitted that hackers had accessed the company’s systems. In the company’s original August reveal, the company generally tap danced around the subject, claiming that while they had identified some “unusual activity,” consumer data had not been accessed.

By November, LastPass had begun shifting its story a bit, acknowledging that the unauthorized August access to its systems had allowed an unidentified third party to “gain access to certain elements” of customer info later on. Then, right before the Christmas holiday on December 22, LastPass finally revealed something closer to the full truth. And it’s not pretty:

The threat actor was also able to copy a backup of customer vault data from the encrypted storage container which is stored in a proprietary binary format that contains both unencrypted data, such as website URLs, as well as fully-encrypted sensitive fields such as website usernames and passwords, secure notes, and form-filled data.

That vault data included company names, end-user names, billing addresses, email addresses, telephone numbers, and the IP addresses from which customers were accessing the LastPass service. All of that information, including numerous IP address records allowing the tracking of user locations and movement, is now in the hands of an unknown third party.

The vaults also included copies of encrypted user passwords. And while those passwords might be safe for users with strong master passwords and updated default account settings, some users with older account settings and weaker master passwords may have had their entire password list exposed, meaning those folks are now spending the holiday updating potentially thousands of website and service passwords all across the internet.

Security researchers weren’t impressed for numerous reasons. For one, it took LastPass numerous months to fully reveal the full scope of the intrusion. And when they did reveal it, they not only buried it ahead of the big holiday in the hopes it would minimize attention, security researchers like Wladimir Palant argued the announcement was aggressively misleading from beginning to end:

LastPass is trying to present the August 2022 incident and the data leak now as two separate events. But using information gained in the initial access in order to access more assets is actually a typical technique used by threat actors. It is called lateral movement.

So the more correct interpretation of events is: we do not have a new breach now, LastPass rather failed to contain the August 2022 breach. And because of that failure people’s data is now gone. Yes, this interpretation is far less favorable of LastPass, which is why they likely try to avoid it.

That entire post is worth a read, as it outlines the numerous instances in which LastPass attempts to distort both event history and the scale of the breach. And again, this wasn’t just some fly by night shop selling garbage smart home doodads. This was a company purportedly dedicated to consumer security, and this is just one major event in a string of bad decisions and previous breaches.

Filed Under: , , , , , ,

Companies: lastpass


Source link