![]() ![]() The second breach did involve user data, and it looks to be more expansive than the original breach. Unfortunately, the second breach from November 2022 did not have the same positive outcome. This means that attackers will have to guess master passwords in order to decrypt stored passwords.Global password manager LastPass suffered from a data breach in August 2022, that was said to not involve anything more than source code. Ok, let’s assume that indeed no master passwords have been captured (more on that below). LastPass does not have any access to the master passwords of our customers’ vaults – without the master password, it is not possible for anyone other than the owner of a vault to decrypt vault data Whenever LastPass has a security incident they are stressing their Zero Knowledge security model. Publishing the breach date would make it obvious, so LastPass doesn’t to save their face. I suspect that this conclusion was premature and what has been exposed now is merely the next step of the first breach which was already ongoing in September. After investigating that incident, in September 2022 LastPass concluded:Īlthough the threat actor was able to access the Development environment, our system design and controls prevented the threat actor from accessing any customer data or encrypted password vaults. I can only see one explanation: it happened immediately after their August 2022 breach. When did this breach happen? Given that LastPass now seems to know which employee was targeted to gain access, they should also know when it happened. Whether the encryption will hold is a different question, one that I’ll discuss below.īut first: one important detail is still missing. ![]() The threat actor was also able to copy a backup of customer vault data
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |