Last updated: February 28, 2023, 6:11 PM IST
LastPass describes the main reason for the data breach
LastPass has confirmed multiple data breaches in 2022, and we finally know the reason for the mishap.
LastPass reported multiple data breaches that the company said did not leak user passwords, but were of concern to all involved. Now, the company has released a new update this week that will make you question its security practices. The hackers who exposed and accessed the LastPass private key also managed to bypass the home computer of one of their DevOps engineers.
LastPass explains that the PC was invaded by a keylogger in the software, which allowed the attacker to obtain the technician’s master password that allowed him to access the LastPass corporate vault. Using this access, they were able to find the decryption keys that can be used to unlock the customer’s password vault backups.
The latest details suggest that LastPass fought off a massive attack that was first used to breach the main vault and then attack one of its technicians to retrieve the backup vault containing its customers’ data. The first attack was confirmed by LastPass last August, when it said hackers stole parts of the company’s source code and other sensitive data.
But the company assured that its users’ passwords were untouched. As if that wasn’t enough, the attacker used the existing flaw to breach LastPass systems again last December, again stating that its users’ passwords are secure.
It’s safe to say that the latest update changes the story, especially when the bad guys managed to break into one of the LastPass engineers’ computer, giving them more access to confidential data.
Having decryption keys is never an ideal situation and people will now wonder how a technician’s home PC working with a password manager brand could be hacked, and if that were to happen, what kind of security does LastPass provide to its customers let alone its own employees. People will also consider moving to other platforms after seeing the repetitive nature of attacks on LastPass in a short period of time.
LastPass, which has more than 25 million users, works by collecting the hundreds of passwords consumers and business users need to log into their social media accounts, business networks, online stores and more.
Read all the latest technical news here
