![]() ![]() Cloud-based backup storage – contained configuration data, API secrets, third-party integration secrets, customer metadata, and backups of all customer vault data.DevOps Secrets – restricted secrets that were used to gain access to our cloud-based backup storage.Internal documentation – technical information that described how the development environment operated.Internal scripts from the repositories – these contained LastPass secrets and certificates.On-demand, cloud-based development and source code repositories – this included 14 of 200 software repositories.What Was LostĪs detailed in the incident summaries, the threat actor stole both LastPass proprietary data and customer data, including the following: Summary of Data Accessed in Incident 1: LastPass is said to have a registered user base of over 25 million.Īs more information came out, LastPass confirmed that a threat actor had “targeted a senior DevOps engineer by exploiting vulnerable third-party software.” The third-party software was the popular media streaming software Plex…and the vulnerability was a two-year old CVE from 2020. GoTo has 800,000 enterprise and private users, but the company is still refusing to disclose how many of them were affected by the LastPass breach. GoTo (the company formerly known as LogMeIn that acquired LastPass in 2021), released a Mastatement regarding the original security breach it experienced back in August 2022. 22, LastPass CEO Karim Toubba acknowledged in a blog post that the August 2022 security incident directly paved the way for an “unauthorized party” to steal customer account information and sensitive vault data. ![]() Let’s start at the beginning of the disclosures: on Dec. It’s a decision that’s left many in the industry scratching their heads, while at the same time seeking ways to prevent the same attacks in their own companies. One of the more significant factors: how LastPass places the blame for the breach on remote working (instead of on how they implemented their own remote working security policies). ![]() Initially, we were told it was a “minor” breach…yet the story continues to evolve even at the time of the writing of this blog. The original incident happened in August of 2022. Last year in 2022, there were 1,802 data compromises affecting more than 422 million people – but the LastPass data breach is the one that has security practitioners chatting.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |