Parsing LastPass’ data breach notice

Spread the love


Two weeks agoPassword manager giant LastPass revealed Its systems were compromised For the second time this year.

Back in August, LastPass detected An employee’s work account was compromised to gain unauthorized access to the company’s development environment that stored some of LastPass’s source code. LastPass CEO Karim Dauba said the hacker’s activity was limited and contained, and told customers there was no action they needed to take.

Fast forward to the end of November, and LastPass confirmed a second compromise that was related to its first. This time, LastPass is out of luck. The intruder accessed customer information.

In a brief blog post, Duba said information obtained in the August incident was used to access a third-party cloud storage service that LastPass uses to store customer data, as well as customer data for its parent company, GoTo. Holds LogMeIn and GoToMyPC.

But since then, we haven’t heard anything new from LastPass or Goto, whose CEO Paddy Srinivasan posted in a post. Even a vague statement It said only that it was investigating the incident and failed to specify whether its customers were also affected.

GoTo spokeswoman Nikolett Bacso Albaum declined to comment.

For years, TechCrunch has reported Countless data breaches And What to see When organizations disclose security incidents. With that, TechCrunch is marked and Lastpass’ data breach notification is marked πŸ–οΈ As we did at Samsung – our analysis of what that means and what LastPass has left behind Violation not yet resolved Earlier this year.

LastPass said in its data breach notification

LastPass and GoTo share their cloud storage

Both companies are a key part of why both LastPass and GoTo are notifying their respective customers Share the same cloud storage πŸ–οΈ.

Neither company has named the third-party cloud storage service, but it is likely to be Amazon Web Services, Amazon’s cloud computing arm. Amazon blog post from 2020 GoTo, then known as LogMeIn, described how it had moved more than a billion records from Oracle’s cloud to AWS.

It’s not unusual for companies to store their data β€” even from different products β€” in the same cloud storage service. That’s why it’s important to ensure proper access controls and segregate customer data, so if a set of access keys or credentials is stolen, they can’t be used to access a company’s entire customer data.

If a cloud storage account shared by both LastPass and GoTo has been compromised, an unauthorized party may have obtained keys that would allow unfettered access, encrypted or otherwise, to the company’s cloud data.

LastPass still doesn’t know what was accessed or what data was taken

In its blog post, LastPass said it was “diligent” to figure it out What specific information πŸ–οΈ Accessed by unauthorized parties. In other words, at the time of its blog post, LastPass still didn’t know what customer data had been accessed or whether data had been pulled from its cloud storage.

This is a tough position for a company. Some move to quickly report security incidents, especially in jurisdictions that mandate immediate public disclosure, even if the company still has little or nothing to say about what actually happened.

LastPass will be in a better position to investigate whether there are combable logs, which will help incident responders know what data was accessed and if anything was exfiltrated. is a question We ask Companies A lot and LastPass is no different. When companies say they have “no evidence” of access or compromise, it may mean they don’t have technical means, such as logging, to know what’s going on.

A malicious actor may be behind the breach

The wording of LastPass’ blog post in August suggests that the “unauthorized party” was likely not acting in bad faith.

Gaining unauthorized access to a system (and breaking the law in the process) is both possible, and can be done in good faith if the end goal is to report the problem to the company and fix it. It may not exist Free yourself from hacking charges If the company (or government) is not happy with the intrusion. But when it’s clear that a good-faith hacker or security researcher is working to fix a security problem, not cause it, common sense often prevails.

At this point, it’s pretty safe to assume that Unauthorized Party πŸ–οΈ While the motive of the hacker – or hackers – is still unknown, there is a malicious actor behind the breach.

LastPass’s blog post says it’s an unauthorized party Information used πŸ–οΈ LastPass was compromised a second time during the August breach. LastPass does not say what this information is. This could indicate access keys or credentials obtained by an unauthorized party during a test they conducted in LastPass’s development environment in August, but LasPass never recovered.

What LastPass Didn’t Say in Its Data Breach

We don’t know when the breach actually happened

LastPass did not say when the second breach occurred “Recently Discovered” πŸ–οΈThis indicates that the company has discovered a breach and not necessarily an intrusion.

There is no reason for LastPass or any company to hold off on the intrusion date if they know when it will be. If it’s caught fast, you can expect it to be mentioned with pride.

But companies instead sometimes use vague terms like “recent” (or “improved”) that don’t really mean anything without the necessary context. After the intruder gained access, LastPass did not detect its second breach.

LastPass won’t say what kind of customer information may have been at risk

An obvious question is what customer information is stored on LastPass and GoTo’s shared cloud storage? Only LastPass says “Certain Elements” of Customer Data πŸ–οΈ were approached. Lastpass can be as broad as personal information such as customers’ name and email address when they register, sensitive financial or billing information, and customers’ encrypted password vaults.

LastPass is confident that customers’ passwords are safe because of how the company designed its zero-knowledge architecture. Zero knowledge A security policy that allows companies to store encrypted data of their customers so that only the customer can access it. In this case, LastPass stores each customer’s password vault in its cloud storage, but only the customer has a master password to unlock the data, not even LastPass.

The wording of LastPass’ blog post is unclear as to whether customers’ encrypted password vaults were stored in the same shared cloud storage that was compromised. LastPass only tells customer passwords “Stay securely encrypted” πŸ–οΈ This can be true if an unauthorized party accesses or evacuates encrypted customer vaults, as the customer’s master password is still required to unlock their passwords.

If customers’ encrypted password vaults were exposed or later leaked, it would remove a significant barrier to accessing a person’s passwords, since all they needed was the victim’s master password. An exposed or compromised password vault is only as strong as the encryption used to crack it.

LastPass did not say how many customers were affected

If an intruder has access to a shared cloud storage account that stores customer information, it is reasonable to assume that they have significant access to whatever customer data is stored.

A best case scenario is that LastPass separates or segregates customer information to prevent a catastrophic data theft scenario.

LastPass says its development environment, which was initially compromised in August, does not store customer data. LastPass also claims its production environment β€” the term for servers in active use to handle and process user information β€” is physically separated from its development environment. By that logic, it appears likely that the intruder gained access to LastPass’s cloud production environment, even though LastPass said in its initial August postmortem that there was “no evidence” of unauthorized access to its production environment. Again, that’s why we are Ask about records.

At worst, there’s LastPass About 33 million customers. GoTo is available 66 million customers Its most recent earnings were in June.

Why did GoTo hide its data breach notification?

If you thought LastPass’ blog post was short on details, here’s a statement from its parent company, GoTo Even easier. Very curious why you couldn’t find it in the first place if you searched for GoTo’s report. That’s because GoTo used the “noindex” tag on the blog post to prevent search engine crawlers like Google from listing the page as part of its search results, so no one can find it unless you know its specific web address.

Lydia Tsui, director of crisis communications firm Brunswick Group, which represents GoTo, told TechCrunch that GoTo has removed the “noindex” code that prevents data breach notification from search engines, but declined to say why the post was blocked. .

Some mysteries we can never solve.


Source link

Leave a Comment