from the details-are-so-secret-that-even-we-don't-know-them dept.
What LastPass said — and hasn't said — about its second data breach this year:
Two weeks ago, the password manager giant LastPass disclosed its systems were compromised for a second time this year.
Back in August, LastPass found that an employee's work account was compromised to gain unauthorized access to the company's development environment, which stores some of LastPass' source code. LastPass CEO Karim Toubba said the hacker's activity was limited and contained, and told customers that there was no action they needed to take.
Fast-forward to the end of November, and LastPass confirmed a second compromise that it said was related to its first. This time around, LastPass wasn't as lucky. The intruder had gained access to customer information.
In a brief blog post, Toubba said information obtained in the August incident was used to access a third-party cloud storage service that LastPass uses to store customer data, as well as customer data for its parent company GoTo, which also owns LogMeIn and GoToMyPC.
But since then, we've heard nothing new from LastPass or GoTo, whose CEO Paddy Srinivasan posted an even vaguer statement saying only that it was investigating the incident, but neglected to specify if its customers were also affected.
[...] Over the years, TechCrunch has reported on countless data breaches and what to look for when companies disclose security incidents. With that, TechCrunch has marked up and annotated LastPass' data breach notice with our analysis of what it means and what LastPass has left out — just as we did with Samsung's still-yet-unresolved breach earlier this year.
LastPass and GoTo share their cloud storage
A key part of why both LastPass and GoTo are notifying their respective customers is because the two companies share the same cloud storage. [...]
LastPass doesn't yet know what was accessed, or if data was taken
In its blog post, LastPass said it was "working diligently" to understand what specific information was accessed by the unauthorized party. In other words, at the time of its blog post, LastPass doesn't yet know what customer data was accessed, or if data was exfiltrated from its cloud storage. [...]
A malicious actor is probably behind the breach
The wording of LastPass' blog post in August left open the possibility that the "unauthorized party" may not have been acting in bad faith.
[...] At this point it's fairly safe to assume that the unauthorized party behind the breach is a malicious actor at work, even if the motive of the hacker — or hackers — is not yet known. [...]
We don't know when the breach actually happened
LastPass did not say when the second breach happened, only that it was "recently detected", which refers to the company's discovery of the breach and not necessarily the intrusion itself. [...]
LastPass won't say what kind of customer information could have been at risk
An obvious question is what customer information is LastPass and GoTo storing in their shared cloud storage? LastPass only says that "certain elements" of customer data were accessed. That could be as broad as the personal information that customers gave LastPass when they registered, such as their name and email address, all the way through to sensitive financial or billing information and customers' encrypted password vaults. [...]
LastPass hasn't said how many customers are affected
If the intruder accessed a shared cloud storage account storing customer information, it's reasonable to assume that they had significant, if not unrestricted access to whatever customer data was stored.
A best-case scenario is that LastPass segmented or compartmentalized customer information to prevent a scenario like a catastrophic data theft. [...]
Why did GoTo hide its data breach notice?
If you thought LastPass' blog post was light on details, the statement from its parent company GoTo was even lighter. What was more curious is why if you searched for GoTo's statement, you wouldn't initially find it. That's because GoTo used "noindex" code on the blog post to tell search engine crawlers, like Google, to skip it and not catalog the page as part of its search results, ensuring that nobody could find it unless you knew its specific web address.
[...] Lydia Tsui, a director at crisis communications firm Brunswick Group, which represents GoTo, told TechCrunch that GoTo had removed the "noindex" code blocking the data breach notice from search engines, but declined to say for what reason the post was blocked to begin with.
Some mysteries we may never solve.
(Score: 1) by Runaway1956 on Thursday December 22, @11:33PM (2 children)
Imagine the conversations in the executive meeting rooms. The guy in the pinstripes says, "They didn't get anything important, don't worry about it." Who knows what is important, and what is unimportant? I mean, if you guys really had all your shit together, they wouldn't have broken in the first time. Obviously, your shit isn't together, so how in hell do you know what's important?
Meanwhile, boys and girls, remember to commit all of your data to the cloud, where it's secure!
Abortion is the number one killed of children in the United States.
(Score: 1, Funny) by Anonymous Coward on Thursday December 22, @11:50PM (1 child)
Security is too important to trust to yourself; best to let the cloud experts secure it for you. Like that guy who showed off how secure his stuff was by driving around with a billboard with his SSN on it, but he had to stop doing that because he kept getting his identity stolen [wired.com].
(Score: 2) by Ox0000 on Friday December 23, @01:57PM
It's the digital form of feudalism: a handful of feudal lords (Microsoft, Amazon, Google, Facebook) who will 'protect' you from villains roving around the unclaimed territories: quickly get inside the castle walls, but pay us
your taxeswith your privacy, or we kick you out...Try running an e-mail server these days; if you're not one of the blessed lords (Google/GMail, Microsoft/O365, Apple/iCloud, ...), you'll be having a pretty crappy time.
(Score: 3, Informative) by Tokolosh on Friday December 23, @12:01AM
"Dear LastPass Customer,
We recently notified you that an unauthorized party was able to gain access to a third-party cloud-based storage service which is used by LastPass to store backups. Earlier today, we posted an update to our blog with important information about our ongoing investigation. This update includes details regarding our findings to date, recommended actions for our customers, as well as the actions we are currently taking.
We thank you for your patience and continued support of LastPass.
The Team at LastPass"
LastPass blog is here: https://blog.lastpass.com/2022/12/notice-of-recent-security-incident/ [lastpass.com]
(Score: 0) by Anonymous Coward on Friday December 23, @08:26AM (1 child)
The rest shouldn't be using LastPass after their first screw-up.
(Score: 2) by aafcac on Friday December 23, @09:19PM
They used to claim that they didn't have access to any of the information, but somehow they knew the URL to display an appropriate icon.
(Score: 3, Touché) by Ox0000 on Friday December 23, @12:39PM
There was an update that said: "They got your vaults, but don't worry, it's encrypted...": https://www.theregister.com/2022/12/23/lastpass_attack_update/ [theregister.com]
It always follows a playbook that goes something like this:
You are currently at step 5 or 7, depending on how much worse this will get as they try to disclose more news during New Year's eve in the hope of burying it among NYE crap.