Popular password manager service LastPass has disclosed a second cyberattack, potentially putting millions of users’ passwords and personal data at risk.
LastPass is used by individuals and businesses to securely store and manage their passwords, and is relied upon for its high level of security. This is the company’s second breach disclosure in less than a year.
The attack was detected on February 22, when LastPass’s security team noticed suspicious activity on their servers. They quickly took action to investigate the matter and discovered that an unauthorized user had gained access to the LastPass database.
“Our investigation has revealed that the threat actor pivoted from the first incident, which ended on August 12, 2022, but was actively engaged in a new series of reconnaissance, enumeration, and exfiltration activities aligned to the cloud storage environment spanning from August 12, 2022 to October 26, 2022,” said a company disclosure.
The company assured that it immediately launched an investigation and hired a leading cybersecurity firm to assist with the investigation.
LastPass: Breach 2.0
“The threat actor was able to leverage valid credentials stolen from a senior DevOps engineer to access a shared cloud-storage environment, which initially made it difficult for investigators to differentiate between threat actor activity and ongoing legitimate activity,” said the company disclosure.
According to the company, the breach appears to have been caused by a vulnerability in one of their third-party vendor’s software. The attacker exploited this vulnerability to gain access to the LastPass database. The company has not disclosed the identity of the vendor in question.
“The second incident saw the threat actor quickly make use of information exfiltrated during the first incident, prior to the reset completed by our teams, to enumerate and ultimately exfiltrate data from the cloud storage resources,” said the company disclosure.
The attacker gained access to users’ email addresses, encrypted password vaults, and other personal information. The company claims that the attacker did not obtain users’ master passwords, which are used to decrypt the encrypted password vaults.
However, LastPass acknowledges that it is still possible for the attacker to decrypt some of the passwords by using a technique known as “brute-forcing.”
According to the company several steps were taken to mitigate the impact of the attack, including resetting passwords for all affected users and implementing additional security measures.
The company has also advised users to enable two-factor authentication, which provides an extra layer of security by requiring users to enter a unique code in addition to their password.
LastPass: Breach 1.0
This is the second time in less than a year that LastPass has suffered a data breach. In August 2022, the company disclosed a similar attack that had occurred in July.
The recent attack underscores the importance of strong passwords and the need for robust security measures to protect against cyber threats.
“While no customer data was accessed during the August 2022 incident, some source code and technical information were stolen from our development environment and used to target another employee, obtaining credentials and keys which were used to access and decrypt some storage volumes within the cloud-based storage service,” company CEO Karim Toubba said in a statement.
“The threat actor was also able to copy a backup of customer vault data from the encrypted storage container which is stored in a proprietary binary format that contains both unencrypted data, such as website URLs, as well as fully-encrypted sensitive fields such as website usernames and passwords, secure notes, and form-filled data.” Months later, LastPass’s parent company GoTo confirmed that threat actors have stolen customers’ encrypted backups during that breach.
“Our investigation to date has determined that a threat actor exfiltrated encrypted backups from a third-party cloud storage service related to the following products: Central, Pro, join.me, Hamachi, and Remotely Anywhere,” said GoTo CEO Paddy Srinivasan in the statement.
“At this time, we have no evidence of exfiltration affecting any other GoTo products other than those referenced above or any of GoTo’s production systems,” he added.
