[German]LastPass informed its customers a few hours ago that "unusual activity" was recently detected in a third-party cloud storage service. This cloud storage service is currently used by both LastPass and its subsidiary GoTo. However, those who use the LastPass service to store passwords should not worry, according to the provider. Customers' passwords remain securely encrypted due to LastPass' Zero Knowledge architecture.
Third-party access to cloud storage
I had seen it a couple of hours ago, but didn't have time to post this here on the blog. The provider LastPass has reported a security incident – thanks also to users for pointing it out via email.
In this statement LastPass confirms the security incident on November 30, 2022, which also affects its subsidiary GoTo. The Goto notification can be found in this blog post. Both posts state that they recently discovered unusual activity on a third-party cloud storage service. This cloud storage service is in use by both LastPass and its subsidiary, GoTo.
It was then discovered that an unauthorized party, using information obtained in August 2022, was able to gain access to certain LastPass (and arguably GoTo) customer information. Immediately after the discovery, security firm Mandiant was hired to analyze the incident and LastPass notified law enforcement.
Currently, LastPass is working with Mandiant to understand the scope of the cyber incident and to determine what specific information was accessed..
Not the first hack
BAt the mention that the attackers obtained the information to access the cloud storage in August 2022, all alarm bells are ringing for me. That's because in August 2022, the PastPass development environment was hacked (see my blog post LastPass security incident: Development environment hacked (August 25, 2022)). LastPass developers wrote at the time that they had no evidence that this incident involved any access to customer data or encrypted password vaults. It was later revealed that the attackers were active in LastPass IT systems for four days until the attack was discovered – see my blog post LastPass confirmed: Attackers had access to internal systems for four days.
Are user passwords secure?
LastPass writes that the LastPass products and services are still fully functional. Wouldn't really be reassuring to me as a LastPass user, as that was also claimed in August 2022 (see my posts linked above). But it looks like customers who use LastPass as a password store will walk away unscathed. In any case, the company claims that LastPass customers' passwords are secure because they are stored in encrypted form due to LastPass' Zero Knowledge architecture.
That also sounds plausible. However, individual user posts make me quite jittery, which I found on Twitter directly in response to the LastPass message. Here someone writes.
My fb, youtube, spotify, hotmail, was login by hackers, and the hacker posted video on my behalf, hundred of video against fb and youtube policy, and I wake up with a disable fb and youtube account, I cannot revive it, because they deny my appeal, how last pass can responsible?
Well, this could be a fake or there could be another reason for this behavior. It is also possible that the user did not use a strong master password to secure the customer's account, contrary to LastPass recommendations – or that this password was used on umpteen other sites and then appeared in lists of leaked passwords. And this user also claims that his passwords were compromised in the August 2022 incident. Here I can only recommend LastPass users to take a very close look at whether there is any abuse happening with the passwords. I guess some people are leaving this platform now.
Cookies helps to fund this blog: Cookie settings