The management of the famous manager indicated that they had ” immediately launched an investigation. She wanted to reassure, explaining that no password was in danger.
Another blow for LastPass and its parent company Goto. A service used jointly by the two companies would be at the heart of the breach.
Passwords are not compromised
On November 30, LastPass said it detected a “ abnormal activity “at the level of a” cloud storage service “. Customer information could be accessed by the attackers. But the CEO of the firm, Karim Toubba, remains for the moment rather vague as to their nature.
” We work […] to assess the scope of the incident and identify the specific information that was accessed he said in a blog post. Impossible, therefore, to know more about the offending service, nor about the amount of data affected.
However, the company wanted to quickly reassure its users: “ Our customers’ passwords stay encrypted and secure thanks to the Zero Knowledge architecture “. This method ensures that only the user can read the information they store in their own vault.
LastPass also said it hired cybersecurity specialist Mandiant, as part of its risk management program, and notified law enforcement of the malicious access. “ As always, we’ll let you know as soon as we know more. “, she added.
An attack that exploits another
This is the second time in 2022 that the password manager has been hacked. This time, the hackers took advantage of a data theft last August. It had been made possible by the intrusion into the source code of the application, thanks to the fraudulent use of a developer’s workstation.
However, for obvious security reasons, LastPass separates its development and production environments. This had made it possible to drastically circumscribe the possibilities of massive sabotage…
Sources: LastPass, Bleeping Computer, The Guardian
14