Security News
As often occurs, we are at a security limbo - on the one hand, as LastPass has noted, users who followed LastPass best practices would be exposed to practically zero to extremely low risk. To assist them throughout this challenging time, Browser Security solution LayerX has launched a free offering of its platform, enabling security teams to gain visibility into all browsers on which the LastPass extension is installed and mitigate the potential impacts of the LastPass breach on their environments by informing vulnerable users and require them to implement MFA on their accounts and if required, roll out a dedicated Master Password reset procedure to eliminate adversaries' abilities to leverage a compromised Master Password for malicious access.
The threat actor was also able to copy a backup of customer vault data from the encrypted storage container which is stored in a proprietary binary format that contains both unencrypted data, such as website URLs, as well as fully-encrypted sensitive fields such as website usernames and passwords, secure notes, and form-filled data. As a reminder, the master password is never known to LastPass and is not stored or maintained by LastPass.
LastPass says attackers got users' info and password vault dataThe information couldn't come at a worst time, as businesses are winding down their activities and employees and users are thick in the midst of last-minute preparations for end-of-year holidays. New Microsoft Exchange exploit chain lets ransomware attackers inRansomware-wielding attackers are using a new exploit chain that includes one of the ProxyNotShell vulnerabilities to achieve remote code execution on Microsoft Exchange servers.
We have seen no evidence that this incident involved any access to customer data or encrypted password vaults. Although the threat actor was able to access the Development environment, our system design and controls prevented the threat actor from accessing any customer data or encrypted password vaults.
The August 2022 LastPass breach has resulted in potentially catastrophic consequences for the company and some of its users: attackers have made off with unencrypted customer data and copies of backups of customer vault data. "These encrypted fields remain secured with 256-bit AES encryption and can only be decrypted with a unique encryption key derived from each user's master password using our Zero Knowledge architecture. As a reminder, the master password is never known to LastPass and is not stored or maintained by LastPass. The encryption and decryption of data is performed only on the local LastPass client."
Password locker LastPass has warned customers that the August 2022 attack on its systems saw unknown parties copy encrypted files that contains the passwords to their accounts. The update reveals that the attacker also copied "Customer vault" data - the file LastPass uses to let customers record their passwords.
The August 2022 security breach of LastPass may have been more severe than previously disclosed by the company. The popular password management service on Thursday revealed that malicious actors obtained a trove of personal information belonging to its customers that include their encrypted password vaults using data siphoned from the break-in.
LastPass revealed today that attackers stole customer vault data after breaching its cloud storage earlier this year using information stolen during an August 2022 incident. Toubba added in a new update to the original statement that Lastpass' cloud storage was accessed using "Cloud storage access key and dual storage container decryption keys" stolen from its developer environment.
Pre-auth RCE in Oracle Fusion Middleware exploited in the wildA pre-authentication RCE flaw in Oracle Access Manager that has been fixed in January 2022 is being exploited by attackers in the wild, the Cybersecurity and Infrastructure Security Agency has confirmed by adding the vulnerability to its Known Exploited Vulnerabilities Catalog. LastPass, GoTo announce security incidentLastPass and its affiliate GoTo have announced that they suffered a security incident and, in LastPass' case, a possible data breach.
Back in August 2022, popular password manager company LastPass admitted to a data breach. LastPass insisted that the developer's account hadn't given the criminals access to any customer data, or indeed to anyone's encrypted password vaults.