LastPass on Wednesday reported that it detected “unusual activity” within a third-party cloud service that’s shared by LastPass and its GoTo affiliate — an event that was the company’s second reported breach in three months.
In an update blog to customers, LastPass CEO Karim Toubba said the unauthorized party, using information obtained in the earlier August 2022 incident, gained access to "certain elements" of customer information.
Toubba said LastPass launched an investigation, hired Mandiant, and alerted law enforcement.
“We are working diligently to understand the scope of the incident and identify what specific information has been accessed,” wrote Toubba “In the meantime, we can confirm that LastPass products and services remain fully functional.”
It’s concerning to hear that LastPass experienced another security incident following a previous one that was made public back in August, said Chris Vaughan, vice president, technical account management, EME at Tanium. Vaughan said the attack involved source code and technical information being taken from unauthorized access to a third-party storage service the company uses.
“The new breach is more severe because customer information has been accessed, which wasn’t the case previously,” Vaughan said. “The intruder has done this by leveraging data exposed in the previous incident to gain access to the LastPass IT environment. The company says that passwords remain safely encrypted and that it is working to better understand the scope of the incident and identify exactly what data has been taken. You can bet that the IT security team is working around the clock on this and their visibility of the network and the devices being connected to it will be severely tested.”
Vaughan added that password managers are a challenging, but attractive target for a threat actor, as they can potentially unlock a treasure trove of access to accounts and sensitive customer data in an instant if they are breached.
“However, the benefits of using a secure password management solution often far outweigh the risks of a potential breach,” said Vaughan. “When layered with the other security recommendations, it's still one of the best solutions to prevent credential theft and associated attacks. We just have to hope that customer confidence has not been impacted too much by these recent attacks.”
Lorri Janssen-Anessi, director, external cyber assessments at BlueVoyant, added that there’s a notion of security with cloud hosting, and while that’s somewhat true, organizations must still stay aware of the attack surface that exists on cloud hosted networks, services, or applications.
Companies must still minimize user privileges, patch vulnerable software, be conscious of what assets are actively hosted, and make sure to have secure configurations to include the cloud security settings, said Janssen-Anessi.
“Be thoughtful about what you choose to host in the cloud, and don’t put critical data or operationally necessary applications that could affect your business continuity in the cloud as you are at the mercy of the hosting provider and their continuity-of-services,” said Janssen-Anessi. “Like any third-party connection, cloud hosting also needs to be thoughtfully included and secured within your ecosystem.”