Email or username:

Password:

Forgot your password?
Zack's posts Post Back to profile
Top-level
Zack Whittaker

LastPass' CEO Karim Toubba, who was appointed in April, says the unauthorized party used information stolen from LastPass systems in August to access the cloud storage containing customer information.

Seems plausible that maybe stolen internal creds or keys weren't invalidated after the August breach, which allowed a second compromise?

More: techcrunch.com/2022/11/30/last

a snippet from LastPass' blog post, which reads "we have determined that an unauthorized party, using information obtained in the August 2022 incident, was able to gain access to certain elements of our customers’ information."
1 Dec 2022 at 2:45 | Open on mastodon.social
6 comments
handyj
DELETED

@zackwhittaker Would also seem to indicate no use of WebAuthn/security keys. Not great

1 Dec 2022 at 3:52 | Open on infosec.exchange
Adam Stasiniewicz

@zackwhittaker Totally plausible. Developers LOVE storing passwords, key, access tokens, etc in source code. It’s a constant battle to keep that type of stuff out of source code.

I’m curious what type of customer data was in this shared could storage. They offer combo plans (LastPass + LogMeIn), so could be some account/billing/etc data used to operate that offer.

It’s worth noting that many organizations are very lax in securing/monitoring their development environments. So while it’s good they detected this stuff, they have to know that their dev system are the primary target. I.e. LastPass doesn’t have the keys to access customer passwords… unless a backdoor gets introduced into their source code…

@zackwhittaker Totally plausible. Developers LOVE storing passwords, key, access tokens, etc in source code. It’s a constant battle to keep that type of stuff out of source code.

I’m curious what type of customer data was in this shared could storage. They offer combo plans (LastPass + LogMeIn), so could be some account/billing/etc data used to operate that offer.

1 Dec 2022 at 3:56 | Open on infosec.exchange
Bob Young :verified:

@zackwhittaker
This incident reminds me of a long-standing theme. I've shared the following before:
How centralization affects cybersecurity:
"Let's put all our eggs in one basket. Then, when there's a slip-up and the basket falls to the pavement, we can all be shocked by the size of the mess."

1 Dec 2022 at 4:54 | Open on infosec.exchange
SpaceLifeForm

@zackwhittaker

I knew this would be easy.

hxtps://aws.amazon.com/blogs/modernizing-with-aws/how-logmein-migrated-a-billion-records-online-from-oracle-to-amazon-aurora-and-achieved-sub-millisecond-response-time/

1 Dec 2022 at 7:46 | Open on infosec.exchange
SpaceLifeForm

@zackwhittaker

There is seriously something wrong at AWS. I have lost count.

1 Dec 2022 at 7:47 | Open on infosec.exchange
Go Up