Earlier, we discussed several high-profile data breaches that exposed millions of people and businesses, and the lessons we can learn from them. The threat of cyberattacks has highlighted the importance of prioritizing and implementing robust measures to protect data and systems. 

This blog examines LastPass' data breaches, a password management giant that revealed in an earlier hack that their customers' encrypted password vaults had been stolen.

LastPass’s First Breach:

LastPass is a large password manager company with over 25 million users and 80,000 business customers. LastPass offers a ‘vault’ that stores username and password pairs for logging into different websites, allowing users not to have to memorize either. Users can create unique and complex strings and save them in their vault, only having to remember a master passphrase that will unlock access to all their usernames and passwords. 

On August 25, 2022, Karim Toubba, CEO of LastPass, posted a blog that told customers of unusual activity detected on LastPass two weeks prior. They determined that an unauthorized party had accessed parts of the LastPass development environment by entering through a compromised developer account. From there, the attacker stole source code and proprietary technical information.

LastPass was keen to stress that no personal data had been compromised and said they “deployed containment and mitigation methods” to stop the breach. Furthermore, they said their development environment was “physically separated” from its production environment, leaving no direct access. This means code can’t be pushed from one side to the other. LastPass also explained that as they didn’t hold copies of users’ master passwords, these couldn’t have been breached. 

LastPass was quick to employ the services of an independent cyber security firm to investigate and found no evidence of code injection attempts following the breach. Experts praised its actions; KnowBe4 lead security advocate, Javid Malik, said “LastPass did well to spot the intrusion into their dev environment, where most organizations probably would have missed it and it is commendable that they communicated the incident clearly to its customers.”

However, the fact that source code was taken would have repercussions to come…

LastPass’s Second Breach:

On November 30, Karim Toubba posted another blog detailing a second breach that was directly linked to the first. The blog post stated that LastPass was breached using “information” compromised in the August incident to access a “third-party cloud storage service” that holds customer data for LastPass and customers of all products of its parent company GoTo. While the cloud storage service was not named in Toubba’s blog post, some further research reveals articles and posts from Amazon discussing how in 2020 LastPass’s parent company GoTo migrated to Amazon Web Services. This means that both LastPass and GoTo share cloud storage. It’s possible that access controls weren’t in place to segment customer data appropriately. While it’s not confirmed what information was accessed during the last breach that allowed this to happen, it may have been keys that have allowed extensive access to both companies. The knock-on effect could’ve been a further compromise of GoTo’s broader suite of products being GoTo owns many products.

At the time of writing this article, LastPass has published nothing more about this incident that would help us answer questions such as when the breach happened? What customer information was accessed? And, how many customers may have been affected. GoTo also published a statement covering the incident, however, this little additional insight was initially hidden from Google index results before later being accessible through web searches.

What steps could LastPass have taken to prevent the breaches:

LastPass is no stranger to security incidents, with incidents in 2011, 2015, 2016, 2017, 2019, 2021, and 2022. LastPass has been vague about how the 2022 breaches happened. But it is known that the first breach occurred from a compromised developer account. This is often achieved via phishing attacks.

The human element of cyber security is an aspect that’s garnered greater importance in recent years, as humans are seen as the weakest link in the chain. Employee training on common threats, including how to spot phishing attempts, is essential, as is using security controls like multi-factor authentication to prevent the compromise of important accounts, such as developer accounts. 

Regarding the second, more severe breach, some serious questions need to be asked of LastPass. Were there proper access controls and segmentation of customer data in the cloud? What was stolen in the first breach? And, did LastPass update credentials? Did they detect the breach promptly? 

Count on our team of experienced professionals to provide tips on data protection, network security, and disaster recovery services. Talk to our experts today.

 

Advantio_Data-Breaches-2022_CTA_V1.0

 

 

Column Header Text Column Header Text Column Header Text

Their work should have not stopped there because achieving compliance is an occasional result that doesn't ensure a continual protection.

Their work should have not stopped there because achieving compliance is an occasional result that doesn't ensure a continual protection.

  • Their work should have not stopped there because achieving
  • Their work should have not stopped there because achieving
  • Their work should have not stopped there because achieving
  • Their work should have not stopped there because achieving

Their work should have not stopped there because achieving compliance is an occasional result that doesn't ensure a continual protection.

Their work should have not stopped there because achieving compliance is an occasional result that doesn't ensure a continual protection.

Their work should have not stopped there because achieving compliance is an occasional result that doesn't ensure a continual protection.

Performing a review of the media inventories at least annually

Performing a review of the media inventories at least annually

Performing a review of the media inventories at least annually

Row Header Text

Lorem ipsum dolor sit

Lorem ipsum dolor sit

23

Row Header Text

Lorem ipsum dolor sit

Lorem ipsum dolor sit

23

Row Header Text

Lorem ipsum dolor sit

Lorem ipsum dolor sit

23

Row Header Text

Lorem ipsum dolor sit

Lorem ipsum dolor sit

23

Row Header Text

Lorem ipsum dolor sit

Lorem ipsum dolor sit

23

Row Header Text

Lorem ipsum dolor sit

Lorem ipsum dolor sit

23

Row Header Text

Lorem ipsum dolor sit

Lorem ipsum dolor sit

23

Row Header Text

Lorem ipsum dolor sit

Lorem ipsum dolor sit

23

Discover More

Advantio_Blog_DNS_Diagram_V1 Image caption goes here. This is HTML text.

Aaron Valentine

Written by

Aaron is a recent graduate of the University of Gloucestershire, where he studied cybersecurity. He is a cyber security consultant at Advantio, using his expertise to help clients secure their systems and protect against cyber threats. In his free time, Aaron enjoys traveling and long walks.

Schedule a call with an expert

WHAT OUR EXPERTS HAVE TO SAY