Pwsafe minimize on startup6/11/2023 ![]() In keeping with our commitment to transparency, we want to provide you with an update regarding our ongoing investigation.īased on our investigation to date, we have learned that an unknown threat actor accessed a cloud-based storage environment leveraging information obtained from the incident we previously disclosed in August of 2022. We recently notified you that an unauthorized party gained access to a third-party cloud-based storage service, which LastPass uses to store archived backups of our production data. Start with the most critical accounts, such as your email accounts, your cell phone plan account, your bank accounts and your social media accounts, and work your way down the priority list.” “If you think that your LastPass password vault could be compromised - such as if your master password is weak or you’ve used it elsewhere - you should begin changing the passwords stored in your LastPass vault. LastPass also recommends changing the passwords if you think that your LastPass password vault could be compromised. This means that your current LastPass vault is secured. Also, make sure you down down your new password and kept in a safe place. Using a passphrase with special characters that is only known to you. If you’re a LastPass customer, the best and quickest thing you can do to protect yourself is to change your current LastPass master password to a new and unique password. While no customer data was accessed during the August 2022 incident, some source code and technical information were stolen from our development environment and used to target another employee, obtaining credentials and keys which were used to access and decrypt some storage volumes within the cloud-based storage service.” What Does This Mean for LastPass Customers And How Can You Protect Yourself? “Based on our investigation to date, we have learned that an unknown threat actor accessed a cloud-based storage environment leveraging information obtained from the incident we previously disclosed in August of 2022. LastPass added that no customer data was accessed during the August 2022 incident, but some of the company’s source code and technical information were stolen from its development environment and used to target another employee. The key difference is that customer vaults were accessed this time, which are kept in a completely separate database.Īccording to LastPass, the previously undisclosed incident took place in August of this year. This is the worst breach LastPass has had. I worked at LastPass as an engineer a long time ago. By a lot,” a former LastPass engineer warned. My 2 cents on the situation. This is the worst breach LastPass has had. “I worked at LastPass as an engineer a long time ago. But LastPass didn’t say how recent the stolen backups are.Ī former LastPass engineer even took to social media to warn about the recent breach. The unencrypted data, which includes website URLs, as well as fully-encrypted sensitive fields such as website usernames and passwords, secure notes, and form-filled data. In an updated blog post, Toubba said the threat actors took a copy of a backup of customer vault data from the encrypted storage container which is stored in a “proprietary binary format” that contains both unencrypted data by using cloud storage keys stolen from a LastPass employee. “To date, we have determined that once the cloud storage access key and dual storage container decryption keys were obtained, the threat actor copied information from backup that contained basic customer account information and related metadata including company names, end-user names, billing addresses, email addresses, telephone numbers, and the IP addresses from which customers were accessing the LastPass service.” ![]() LastPass that the data breach took place earlier this year. In an announcement today, LastPass CEO Karim Toubba confirmed that cybercriminals stole its customers’ encrypted password vaults, which store its customers’ passwords and other related metadata including company names, end-user names, billing addresses, email addresses, telephone numbers, and IP addresses. ![]() ![]() LastPass, the startup that’s supposed to users’ passwords safe, confirmed today that hackers stole its customers’ encrypted password vaults. The announcemet comes the same day Comcast Xfinity reported that users’ accounts were hacked in widespread 2FA bypass attacks. “Stop using LastPass as your password manager. Move to any other one, and please change any passwords you have on there now,” that was a dire warning from the Director of Engineering at SpotAi. ![]()
0 Comments
Leave a Reply. |