Two weeks agoPassword management giant LastPass revealed its system has been compromised second time this year.
Back in August, LastPass Find that an employee’s work account was compromised to gain unauthorized access to the company’s development environment, where some of LastPass’ source code is stored. LastPass CEO Karim Toubba said hacker activity was limited and contained, and told customers that they didn’t need to take any action.
Fast-forward to the end of November, and LastPass has confirmed the second compromise, which it says is related to the first. This time around, LastPass wasn’t so lucky. The intruder gained access to customer information.
In a short blog post, Toubba said the information obtained in the August incident was used to access a third-party cloud storage service that LastPass uses to store customer data, as well as to as customer data for parent company GoTo. owns LogMeIn and GoToMyPC.
But since then, we haven’t heard anything new from LastPass or GoTo, their CEO Paddy Srinivasan posted a more ambiguous statement only said they were investigating the incident, but omitted to specify whether their customers were affected.
GoTo spokesman Nikolett Bacso Albaum declined to comment.
Over the years, TechCrunch has reported on countless data breaches and What are you looking for when companies disclose security incidents. Along with that, TechCrunch has marked and LastPass data breach notice caption ️ with our analysis of what it means and what LastPass left out — just like we did with Samsung Violations have not been handled yet this early year.
What LastPass said in its data breach notice
LastPass and GoTo share their cloud storage
An important part of why both LastPass and GoTo notify their respective customers is because of the two companies share the same cloud storage 🖍️.
Neither company has named the third-party cloud storage service, but it’s likely Amazon Web Services, Amazon’s cloud computing arm, because Amazon blog post from 2020 described how GoTo, known as LogMeIn at the time, migrated over a billion records from the Oracle cloud to AWS.
It’s not uncommon for companies to store their data — even from different products — on the same cloud storage service. That is why it is important to ensure proper access control and segmentation of customer data, so that if an access key or credential is stolen, they cannot be used. used to access the company’s entire customer database.
If the cloud storage account shared by both LastPass and GoTo has been compromised, it is likely that the unauthorized party has obtained keys that allow broad, if not unfettered, access to the data. corporate cloud data, encrypted or otherwise.
LastPass does not yet know what was accessed or if data was obtained
In its blog post, LastPass said it is “working diligently” to understand What specific information? accessed by unauthorized parties. In other words, at the time of the blog post, LastPass did not yet know what customer data was accessed or if the data was removed from the cloud storage.
It’s a difficult position for a company. Some moves to report security incidents quickly, especially in jurisdictions where immediate public disclosure is required, even if the company has little or nothing to share Share what really happened.
LastPass would be in a much better position to investigate whether it has logs it can comb through, which could help incident responders know what data was accessed and whether anything was stolen or not. That’s a question we asked companies a lot and LastPass is no different. When companies say they have “no proof” of access or compromise, it may be because they lack the technical means, such as logging, to know what’s going on.
A malicious actor may be behind the breach
The wording of LastPass’s blog post in August left open the possibility that the “unauthorized party” might not be acting with malicious intent.
It is possible to gain unauthorized access to a system (and break the law in the process), and still act in good faith if the ultimate goal is to report the problem to the company and fix it. that subject. can it be free hacks for you if the company (or government) is not satisfied with the intrusion. But common sense prevails when it becomes clear that a well-intentioned hacker or security researcher is working to fix a security problem, not causing it.
At this point, it’s pretty safe to assume illegal party ️ Behind the breach is a malicious actor at work, even if the hacker’s — or hacker’s — motive is unknown.
LastPass blog post says unauthorized party use the information obtained 🖍️ in the August breach to compromise LastPass for the second time. LastPass doesn’t say what this information is. It could mean the access keys or credentials that the unauthorized party obtained during their attack on LastPass’s development environment in August, but LasPass never recovered.
What LastPass Didn’t Say In Its Data Breach
We don’t know when the breach actually happened
LastPass did not say when the second breach occurred, only that it was “recently discovered” ️refers to the company detecting a breach and not necessarily an intrusion.
There’s no reason for LastPass or any company to withhold the date of the hack if they know when it happened. If it’s caught fast enough, you’d expect it to be mentioned as a point of pride.
But instead, companies will sometimes use vague terms like “recent” (or “advanced”), which don’t really mean anything without the necessary context. It’s possible that LastPass didn’t discover its second breach until the intruder gained access.
LastPass won’t say what kind of customer information might be at risk
An obvious question is what customer information do LastPass and GoTo store in their shared cloud storage? LastPass just says “certain elements” of customer data ️ has been accessed. That can range from the personal information a customer provided to LastPass when they signed up, such as their name and email address, to sensitive financial or payment information and password vaults. client coding.
LastPass is adamant that customer passwords are secure due to the way the company designs its zero-knowledge architecture. knowledge? is a security principle that allows companies to store customer encrypted data so that only the customer can access it. In this case, LastPass stores each customer’s password vault in its cloud storage, but only the customer has the master password to unlock the data, not even LastPass.
The wording of LastPass’ blog post is unclear as to whether the customer’s encrypted password vault is stored in the same shared cloud storage that was compromised. LastPass only says that the customer’s password “still securely encrypted” ️ this can still be true, even if an unauthorized party has accessed or stolen the customer’s encrypted vault, as the customer’s master password is still required to unlock their password.
If a customer’s encrypted password vault was exposed or subsequently leaked, that would remove a significant obstacle in how to access one’s password, since all they need is the master password. of the victim. An exposed or compromised password vault is only as strong as the encryption used to obfuscate it.
LastPass hasn’t said how many customers were affected
If an intruder has accessed a shared cloud storage account that stores customer information, it is reasonable to assume that they have substantial, if not unlimited, access to any data. Which client is stored.
The best-case scenario is that LastPass has segmented or broken down customer information to prevent a situation like a catastrophic data theft.
LastPass says that its development environment, which was initially compromised in August, does not store customer data. LastPass also said that its production environment — the term for servers that are actively used to process and process user information — is physically separated from its development environment. By that logic, it seems likely that an intruder may have gained access to LastPass’s cloud production environment, although LastPass stated in its first autopsy in August that “there is no evidence ” about unauthorized access to its production environment. Again, that’s why we ask about log.
Why does GoTo hide its data breach notifications?
If you think LastPass’s blog post is too detailed, the statement from its parent company GoTo is even lighter. What’s more curious is why if you search for GoTo’s statement you won’t find it at first. That’s because GoTo used the “noindex” code on the blog post to tell search engine crawlers, like Google, to ignore it and not list the page as part of the results. search, making sure that no one can find it unless you know its specific web address.
Lydia Tsui, director of crisis communications firm Brunswick Group, which represents GoTo, told TechCrunch that GoTo had removed the “noindex” code that blocks data breach notifications from search engines, but declined to say what. Where does the reason for the post to be blocked come from? .
Some mysteries we may never solve.