So they specifically targeted one of these DevOps engineers and infected their home computer with a keylogger. The attackers learned about that when they initially compromised LastPass in August 2022. These keys were stored in the LastPass’ own corporate LastPass vault, with only these four people having access. The “Timeline of the breach” section has been rewritten accordingly.Īccording to LastPass, only four DevOps engineers had access to the keys required to download and decrypt LastPass backup data from Amazon Web Services (AWS). So the breach affects LastPass users who had an active LastPass account between August 20 and September 16, 2022. Update (): I found additional information finally explaining the timeline here. In fact, the attackers might be able to decrypt company data without using any computing resources on bruteforcing master passwords. Also, contrary to what LastPass claimed originally, business customers using Federated Login Services are very much affected by this breach. TL DR: The breach was helped by a lax security policy, an employee was accessing critical company data from their home computer. If you look closely, the article again carefully avoids making definitive statements. Until yesterday they published an article with details of the breach. Some of the failures to protect users only became apparent after some time, such as many accounts configured with a dangerously low password iterations setting, the company hasn’t admitted them to this day.ĭespite many questions being raised, LastPass maintained strict radio silence since December. making wrong claims about the protection level provided by the encryption. This statement was highly misleading, e.g.
It took until December 2022 for LastPass to admit losing their users’ partially encrypted vault data. Half a year after the LastPass breach started in August 2022, information on it remains sparse.
0 kommentar(er)
