![]() ![]() “However, I believe that the benefits of using a secure password management solution often far outweigh the risks of a potential breach. “They can potentially unlock a treasure trove of access to accounts and sensitive customer data in an instant if they are breached, ” he said. Password managers are a challenging but attractive target for threat actors, he explained. “The attack involved source code and technical information being taken from unauthorized access to a third-party storage service the company was using.” “It’s concerning to hear that LastPass has experienced another security incident following a previous one that was made public back in August,” Chris Vaughan, vice president of technical account management, EME at cybersecurity and systems management company Tanium Inc., told SiliconANGLE. In January, LastPass admitted it had suffered an outage it first denied that was caused by a bug. ![]() Along with the now two this year, the company’s history of being hacked goes back to 2015, followed by security issues in 20. In December last year, LastPass users reported attempted logins using their master passwords, although the attack was attributed to credential-stuffing. LastPass has a growing list of hacks and security incidents. “In the meantime, we can confirm that LastPass products and services remain fully functional.”Īlthough the email to customers starts with mentioning that the company has a “commitment to transparency,” and then going public with the details its has is always positive, yet another incident is not a good look for the company many rely on to secure their passwords. “We are working diligently to understand the scope of the incident and identify what specific information has been accessed,” LastPass said in an email to customers. The exact data accessed was not detailed by LastPass, but the company did say that customer passwords were not accessed and remained safely encrypted. Those behind the first hack used data obtained in the hack to gain access to the unnamed cloud provider and customer information. The data breach was a direct result of a previous breach reported by LastPass in August. ITWC covers the enterprise IT spectrum, providing news and information for IT professionals aiming to succeed in the Canadian market.Password manager LastPass US LP has suffered another data breach, as a hacker gained access to a third-party cloud storage service used by the company and its affiliate GoTo Technologies USA Inc. This section is powered by IT World Canada. The post LastPass hacker got customer information and their encrypted vault data first appeared on IT World Canada. “This incident shows that an experienced attacker can exploit a company’s security vulnerabilities and steal sensitive customer data even if he has initially gained access to a certain part of the corporate infrastructure that is not directly related to this sensitive data,” said Walters. “Because of the hashing and encryption methods we use to protect our customers, it would be extremely difficult to attempt to brute force guess master passwords for those customers who follow our password best practices,” he maintained. The encryption and decryption of data is performed only on the local LastPass client” of a user. “As a reminder, the master password is never known to LastPass and is not stored or maintained by LastPass. “These encrypted fields remain secured with 256-bit AES encryption and can only be decrypted with a unique encryption key derived from each user’s master password using our Zero Knowledge architecture,” Toubba said in a blog. In addition, the hacker also copied an encrypted backup of customer vault data from the encrypted storage container. A hacker accessed a third-party cloud-based storage service LastPass uses to store archived backups of its production data using information gained from an August attack.Īfter further investigation, the company realized that once the cloud storage access key and dual storage container decryption keys were obtained, the threat actor copied information from backups that contained basic customer account information and related metadata, including company names, end-user names, billing addresses, email addresses, telephone numbers, and the IP addresses from which customers were accessing the LastPass service. His advice comes after LastPass CEO Karim Toubba acknowledged that last August’s data breach was worse than he described earlier this month. It includes creating a strong master password at least 30 characters long, re-encrypting the password vault, and enabling multi-factor authentication (MFA).” “I recommend that all users change their master passwords and enforce password security best practices. This advertisement has not loaded yet, but your article continues below. Manage Print Subscription / Tax Receipt. ![]()
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |