LastPass has hired InfoSec researchers from Mandiant to investigate the break-in and has also notified the authorities. The passphrase is only ever entered by the user on their browser or app and is never sent to or stored by LastPass. Master passwords are used to lock users' password vaults, where their logins for user accounts are stored. The company uses a one-way salted hash for master passwords, as described in a technical white paper. LastPass emphasized that its services were unaffected, and that customers' passwords remained "safely encrypted," though it did not rule out the possibility that some data was stolen. Last night's statement also confirmed that the attackers used information stolen in an August attack to carry out the current intrusion.
The company is working to understand the scope of the incident and determine what specific information was accessed. LastPass did not specify what it meant by "certain elements," stating that it is unsure of what data was accessed. LastPass and affiliate company GoTo have confirmed that intruders broke into a third-party cloud storage service they use and gained access to "certain elements" of their customers' information. In this post, I'll share some of the key highlights, including the discovery of a critical flaw in a Chrome, LastPass breach and the leakage of Android app signing keys for multiple vendors. I'm always on the lookout for the latest developments in the field, and this week was no exception. This week, we saw a number of interesting developments in security world, from new vulnerabilities and malware exploiting a known CVE and finally a breach that is a reminder that we all need to revisit the current best practices for keeping your passwords secure. Welcome to this week in security! Tikka Nagi is back as the editor.
0 kommentar(er)
