Beleaguered password manager LastPass has announced another serious security flaw, and this time it could be the last straw for some users.
For months now, the company periodically provides updates on a nasty data leak that happened last August. At the time, LastPass revealed that a cybercriminal had managed to hack his way into the company’s development environment and steal some source code, but claimed there was “no evidence” that user data had been compromised as a result. Then, in December, the company made a updaterevealing that, well, actually, certain user information had compromised, but couldn’t share what exactly was affected. A few weeks later, the time has come did to reveal what was impacted: users’ vault data, which under the right, extreme circumstances can lead to total account compromise. And now, finally, LastPass has provided more details, which showed that the consequences of the breach were even worse than previously thought. It’s probably enough to send some users running for the hills screaming.
According to a press release published Monday, the first data breach in August allowed the cybercriminal to hack into the home computer of one of LastPass’s most privileged employees – a senior DevOps engineer and one of only four employees with access to decryption keys that manage the company’s shared cloud. platform could unlock environment. The hacker then laced the engineer’s computer with a keylogger, allowing them to steal their LastPass master password. Using the PW, the cybercriminal managed to break into the technician’s password vault and, by extracting the necessary decryption keys from the technician’s account, penetrated LastPass’s shared cloud environment, where they stored a slew of important data. steel.
The company admits that the hacker “exported the original company vault entries and shared folder contents, which contained encrypted secure notes with access and decryption keys needed to access the AWS S3 LastPass production backups, other cloud-based storage resources, and some related critical database backups,”
In short: yikes, yikes, yikes.
Suffice to say, this won’t make most of the platform’s customers very happy. The extent to which the cybercriminal was able to penetrate the company’s defenses is certainly unnerving. In fact, Motherboard security reporter Joseph Cox is recommend that internet users avoid LastPass altogether. In his article on the most recent revelations, Cox explains the password manager for its security hiccups, dodgy PR tactics, and lack of transparency:
LastPass, the popular password manager, is out of goodwill. Since the company first disclosed a breach in August, it has slowly provided consumers with trickles of information, and the new details coming out increasingly paint a picture of a company that shouldn’t be trusted with your passwords.
Cox concludes his article by noting that “it’s time to find another password manager.” For more than a few users, they are undoubtedly on the same page.