![]() ![]() End-user master passwords are never known to LastPass and are not stored or maintained by LastPass – therefore, they were not included in the exfiltrated data. ![]() All sensitive customer vault data, other than URLs, file paths to installed LastPass Windows or macOS software, and certain use cases involving email addresses, were encrypted using the LastPass Zero knowledge model and could only be decrypted with a unique encryption key derived from each user’s master password. ![]() Cloud-based backup storage – contained configuration data, API secrets, third-party integration secrets, customer metadata, and backups of all customer vault data.DevOps Secrets – restricted secrets that were used to gain access to our cloud-based backup storage.Internal documentation – technical information that described how the development environment operated.Internal scripts from the repositories – these contained LastPass secrets and certificates.On-demand, cloud-based development and source code repositories – this included 14 of 200 software repositories.What Was LostĪs detailed in the incident summaries, the threat actor stole both LastPass proprietary data and customer data, including the following: Summary of Data Accessed in Incident 1: LastPass is said to have a registered user base of over 25 million.Īs more information came out, LastPass confirmed that a threat actor had “targeted a senior DevOps engineer by exploiting vulnerable third-party software.” The third-party software was the popular media streaming software Plex…and the vulnerability was a two-year old CVE from 2020. GoTo has 800,000 enterprise and private users, but the company is still refusing to disclose how many of them were affected by the LastPass breach. GoTo (the company formerly known as LogMeIn that acquired LastPass in 2021), released a Mastatement regarding the original security breach it experienced back in August 2022. ![]()
0 Comments
Leave a Reply. |