It’s a tough position for a company to be in. In other words, at the time of its blog post, LastPass doesn’t yet know what customer data was accessed, or if data was exfiltrated from its cloud storage. In its blog post, LastPass said it was “working diligently” to understand what specific information 🖍️ was accessed by the unauthorized party. LastPass doesn’t yet know what was accessed, or if data was taken
If the cloud storage account shared by both LastPass and GoTo was compromised, it may well be that the unauthorized party obtained keys that allowed broad, if not unfettered, access to the company’s cloud data, encrypted or otherwise. That’s why it’s important to ensure proper access controls and to segment customer data, so that if a set of access keys or credentials are stolen, they cannot be used to access a company’s entire trove of customer data. It’s not uncommon for companies to store their data - even from different products - on the same cloud storage service. Neither company named the third-party cloud storage service, but it’s likely to be Amazon Web Services, the cloud computing arm of Amazon, given that an Amazon blog post from 2020 described how GoTo, known as LogMeIn at the time, migrated more than a billion records from Oracle’s cloud to AWS. LastPass and GoTo share their cloud storageĪ key part of why both LastPass and GoTo are notifying their respective customers is because the two companies share the same cloud storage 🖍️. What LastPass said in its data breach notice With that, TechCrunch has marked up and annotated LastPass’ data breach notice 🖍️ with our analysis of what it means and what LastPass has left out - just as we did with Samsung’s still-yet-unresolved breach earlier this year.
Over the years, TechCrunch has reported on countless data breaches and what to look for when companies disclose security incidents. GoTo spokesperson Nikolett Bacso-Albaum declined to comment. In a brief blog post, Toubba said information obtained in the August incident was used to access a third-party cloud storage service that LastPass uses to store customer data, as well as customer data for its parent company GoTo, which also owns LogMeIn and GoToMyPC.īut since then, we’ve heard nothing new from LastPass or GoTo, whose CEO Paddy Srinivasan posted an even vaguer statement saying only that it was investigating the incident, but neglected to specify if its customers were also affected. The intruder had gained access to customer information.
This time around, LastPass wasn’t as lucky. LastPass CEO Karim Toubba said the hacker’s activity was limited and contained, and told customers that there was no action they needed to take.įast-forward to the end of November, and LastPass confirmed a second compromise that it said was related to its first.
#Lastpass hacked password
Two weeks ago, the password manager giant LastPass disclosed its systems were compromised for a second time this year.īack in August, LastPass found that an employee’s work account was compromised to gain unauthorized access to the company’s development environment, which stores some of LastPass’ source code.
0 kommentar(er)
