![]() This "it's not so bad" attitude combined with the numerous LastPass breaches over the last few years has eroded the trust necessary for LastPass to be considered a viable solution. While I appreciate it when a company makes the effort to disclose the results of their incident investigations, I don't agree with using technical jargon and conjecture to mislead customers into a false sense of security. As a consequence, customers should be able to trust their password manager to take better security measures than just about any other type of service or product they interact with online. The passwords in question are what protect virtually all personal data that is accessed on the Internet. You can read 1Password's blog post Not in a Million Years to better understand how your password vault may be more crackable than LastPass claims.Īs with any password manager, the entire business model of the LastPass solution is to provide a more secure and user-friendly solution to passwords than having people try to manage their own. we still don't know if notes were encrypted). In addition, LastPass makes several statements downplaying the severity of stolen vaults and they have also never made it clear exactly which fields were encrypted and which weren't (e.g. that's the customer's encrypted passwords and other data) was also obtained by the third party. ![]() The LastPass blog continues to describe how, in addition to all the above information, a copy of the customer vault data (i.e. The threat actor copied information from backup that contained basic customer account information and related metadata including company names, end-user names, billing addresses, email addresses, telephone numbers, and the IP addresses from which customers were accessing the LastPass service. Those storage volumes contained backups of data that was accessed by a third party, specifically (again from the LastPass blog): It is technically accurate, yet a semantic contradiction. To form an analogy: "while the bank robbers didn't take anything belonging to customers, they stole the keys to the vault which was used at a later time to gain access to customer valuables". To me this reads as both no customer data was accessed initially, yet sufficient information was stolen to target an employee, resulting in storage volumes being decrypted and accessed. While no customer data was accessed during the August 2022 incident, some source code and technical information were stolen from our development environment and used to target another employee, obtaining credentials and keys which were used to access and decrypt some storage volumes within the cloud-based storage service. In their most recent update, LastPass appears to contradict itself on a technicality: The blog post was updated in November, and then again on December 22, 2022, with each update seeming more ominous than the last. Recently, LastPass has experienced mounting criticism from the information security industry as a result of an incident described in an Augblog post. LastPass is a very popular password management service with both personal and business solutions.
0 Comments
Leave a Reply. |