Stories
Slash Boxes
Comments

SoylentNews is people

posted by janrinok on Sunday December 04 2022, @12:34AM   Printer-friendly

Intruders Gain Access to User Data in LastPass Incident

The password manager says credentials safely encrypted, confirms link to August attack:

Intruders broke into a third-party cloud storage service LastPass shares with affiliate company GoTo and gained access to "certain elements" of customers' information, the pair have confirmed.

LastPass did not define what it meant by "certain elements," saying it was unsure what data was looked at: "We are working diligently to understand the scope of the incident and identify what specific information has been accessed this morning."

[...] It did maintain, however, that services were unaffected and that customers' passwords remained "safely encrypted" – without ruling out that some of the data was stolen. The company is known to use a one-way salted hash for master passwords, with a fuller description in this technical whitepaper. The master passwords are used to lock users' password vaults, where their logins for various websites etc. can be stored, with the passphrase only ever entered by the user on their browser or app and not sent to or stored by LastPass.

Users who lose their master passwords can lose access to their vaults, although there are some recovery options.

LastPass Security Breach Worse Than Initially Reported

LastPass Security Breach Worse Than Initially Reported:

[...] In a blog post dated November 30th, LastPass CEO Karim Toubba informed customers that “an unauthorized party ... was able to gain access to certain elements of our customer's information." The CEO didn't specify what type of information was compromised in the blog post. However, he assured customers that their passwords were safe as the company's Zero Knowledge architecture protects them.

The Zero Knowledge technology employed by LastPass means that no plain-text passwords are stored on company servers and that only customers can access their unencrypted passwords.

[...] Toubba explained that while customer data was not accessed during the August attack, information that the hackers obtained was subsequently used to get customer info. The CEO went on to assure his client base that the company is working hard to understand the full scope of the breach and is deploying enhanced security measures and closely monitoring for any further attacks.

The admission is surely an embarrassment for LastPass, but it’s not the first time in recent memory the company has suffered a massive security breach. Less than a year ago, the company suffered a brute-force attack from hackers, causing a slew of unauthorized login attempt notifications to go out to many of its customers.


Original Submission #1Original Submission #2

 
This discussion was created by janrinok (52) for logged-in users only, but now has been archived. No new comments can be posted.
Display Options Threshold/Breakthrough Mark All as Read Mark All as Unread
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.
  • (Score: 4, Touché) by Snospar on Sunday December 04 2022, @02:56AM (1 child)

    by Snospar (5366) Subscriber Badge on Sunday December 04 2022, @02:56AM (#1281087)

    People who trust a cloud based service to manage their passwords are playing with fire. When security starts to seem easy then you must assume that "safe" has been thrown away; not always on purpose.

    --
    Huge thanks to all the Soylent volunteers without whom this community (and this post) would not be possible.
    Starting Score:    1  point
    Moderation   +2  
       Underrated=1, Touché=1, Total=2
    Extra 'Touché' Modifier   0  
    Karma-Bonus Modifier   +1  

    Total Score:   4  
  • (Score: 2) by helel on Sunday December 04 2022, @03:58PM

    by helel (2949) on Sunday December 04 2022, @03:58PM (#1281147)

    To play devils advocate here: For most people the alternative is to simply use their email as their single login for every site as every access necessitates a password reset. That's a far far worse system.