Can Lastpass still be trusted after latest attack?
There has been another security incident at LastPass and it’s not looking good. The password management company says that the new attack on their infrastructure seems to be a follow-up of the first breach attempt that was reported in August last year.
“Our investigation has revealed that the threat actor pivoted from the first incident, which ended on August 12, 2022, but was actively engaged in a new series of reconnaissance, enumeration, and exfiltration activities,” LastPass wrote.
When LastPass first reported the August security incident, it claimed there was no evidence that customer data or encrypted password vaults had been compromised. At that point, there wasn’t any major cause for alarm. Just another failed attempt to breach the company.
But then in December, the company released fresh details revealing that the hackers had accessed a backup of customer vault data and made a copy. However, there was still no cause for panic because the data was encrypted and could only be decrypted using the customer’s master password.
But things have gone from bad to worse with the latest attack. In a coordinated second attack on LastPass, the hacker has managed to gain access to the encrypted cloud storage service where the company stores decryption keys to customer vault data.
In simple terms, the hacker now has the keys to decrypt the data that they exfiltrated on their first attempt. How did this happen? As LastPass notes, 4 of its Engineers had access to the encrypted cloud space where the decryption keys were stored.The hacker gained access to the cloud storage service by targeting one of the Engineers.
The hacker is said to have exploited a vulnerability in Plex, a media management software that the engineer was using at his home. By installing a keylogger on the engineer’s computer, they were able to capture his master password for the cloud storage service.
So is it time to ditch LastPass password manager? At a minimum, if you are a LastPass user, you should have already changed your master password and also all the login credentials that you had stored with the company.
Lastpass has suffered a total of 7 major breaches in the last 10 years. And for a company that is entrusted to protect they keys to people’s personal account, this doesn’t paint a very good picture.
Speaking on the issue, Cybersecurity expert, Jeremi Gosney has said it has reached a point where Lastpass can’t be defended anymore.
“Let me start by saying I used to support LastPass. I recommended it for years and defended it publicly in the media. But things change, and in recent years I found myself unable to defend LastPass.” Gosney said before going on to highlight a list of reasons why the password manager can no longer be trusted.