The password manager giant LastPass released a notice saying their systems were hit by yet another security breach, for the second time this year.
The first time their systems were jeopardized, in August, LastPass discovered that an employee’s work account was used to gain unauthorized access to the company’s development environment, which stores some of LastPass’ source code.CEO of LastPass, Karim Toubba, said that the malicious activities were contained and that the company doesn’t need to take further action.
At the end of November, the second attack resulted in the intruder gaining access to customer information. LastPass confirmed that the second compromise was related to the first. However, LastPass wasn’t the only one that suffered from the latest attack, as the company shares its third-party cloud storage with its parent company – GoTo, which also owns LogMeIn and GoToMyPC.
Although neither company has revealed who their third-party cloud storage provider is, it is likely Amazon Web Services, as they’re a popular choice for major brands. The conclusion comes from an Amazon blog post from 2020 that described how GoTo (known as LogMeIn at the time) migrated more than a billion records from Oracle’s cloud to AWS.
The Work of a Malicious Hacker or a Security Researcher?
The company said it was “working diligently” to identify what specific information the intruder accessed. Judging by their blog post, LastPass doesn’t yet know if it extracted data from its cloud storage or what customer data was accessed.
Although gaining unauthorized access is breaking the law, the end goal isn’t always malicious, as system breaches can be an act of good faith. The wording used in LastPass’ blog in August does leave this possibility open. However, working to report or fix an issue instead of causing one doesn’t always mean the good-willed hacker or security researcher won’t face charges.
Even though the motive of the hacker or group of hackers is not yet known, it is fairly safe to assume that their intentions were malicious, since LastPass noted that the two attacks are connected.
What Information is LastPass Withholding and Why?
Instead of providing a precise date and method of detection, LastPass refers to the breach as “recently detected.” Usually, when a company discovers a breach swiftly, it becomes a point of pride that is made public in detail. Without necessary context, announcing the security issue as “recent” could mean that the company has only detected it recently and that the breach happened long ago.
Another vital part of the issue left undisclosed by LastPass is the precise data compromised in the security breach. The company has only mentioned that “certain elements” of customer data were accessed, which could be as broad as personal information given to LastPass by their registering customers or as critical as sensitive billing information and customers’ encrypted password vaults.
LastPass didn’t disclose whether it stored customers’ encrypted password vaults in the same cloud storage that was targeted. The company only mentions that customer passwords “remain safely encrypted,” which can still be correct as a customer’s master password is required to access a password vault.
By exposing password vaults, the hackers could potentially remove a significant obstacle in the way of accessing a person’s passwords, as their protection is only as strong as the master password is.
It’s reasonable to assume that the intruder had significant access to the customer information held by the breached cloud storage, potentially even unrestricted access. A scenario that doesn’t involve large-scale data theft could only be possible if LastPass compartmentalized and segmented its customer information.
LastPass says it does not store user data on its development environment, initially compromised in August. The company also says that its development environment and production environment – a term for servers that actively process and handle user information – are physically separated.
Despite LastPass saying there was “no evidence” of unauthorized access to its production environment in August, the intruder may have gained access to its cloud production environment. It’s worth noting that LastPass has about 33 million customers, while its parent company GoTo has 66 million customers.
Although the LastPass blog post offers only light details, the statement from GoTo has even less to offer. What’s even more amusing is GoTo using a “noindex” code as they published the blog post, effectively telling search engines not to list it as a result of an inquiry. Only those that know the exact web address can access the post.
Read More Software News: