LastPass: What Happened to a Verge Employee who accessed a Third-Party Cloud Storage Service in August 2012?
LastPass says that the vault backup was not compromised initially in August, but that the threat actor used information from that to target an employee with access to a third-party cloud storage service. In addition to backups containing basic customer account information and associated data, the vaults were also stored in and copied from one of the volumes accessing that cloud storage. It also includes things like billing addresses, email addresses, telephone numbers and the internet protocol addresses from which customers were accessing the service.
The threat actor was also able to copy a backup of customer vault data from the encrypted storage container which is stored in a proprietary binary format that contains both unencrypted data, such as website URLs, as well as fully-encrypted sensitive fields such as website usernames and passwords, secure notes, and form-filled data.
If your older account is in an older set, a weakness in the password-strengthening process may have been used to protect your master password. According to LastPass, it currently uses “a stronger-than-typical implementation of 100,100 iterations of the Password-Based Key Derivation Function,” but when a Verge staff member checked their older account using a link the company includes in its blog, it told them their account was set to 5,000 iterations.
The more concerning bit is that this data could give a hacker information about which websites you have accounts with. If they decided to target particular users, that could be powerful information when combined with phishing or other types of attacks.
While none of that is great news, it’s all something that could, in theory, happen to any company storing secrets in the cloud. It is not a 100 percent flawless track record that makes cybersecurity the game it is, but how you react to disasters when they happen.
It will be making this announcement today, December 22nd, and it is a time when most IT departments will be on vacation, and when people aren’t likely to pay attention to password manager updates.
(Also, the announcement doesn’t get to the part about the vaults being copied until five paragraphs in. And while some of the information is bolded, I think it’s fair to expect that such a major announcement would be at the very top.)
LastPass – What Have You Done Recently? The Last Scenario of Ukraine after the November 30 Cybercrime Event: A Case Study in Russian Military Hacking
The company is doing all it can to make sure it doesn’t happen again, and has taken measures such as adding more logging to detect suspicious activity in the future, rebuilding its environment, rotating credentials, and more.
You’ve heard it again and again: You need to use a password manager to generate strong, unique passwords and keep track of them for you. If you finally took the plunge with a free and mainstream option during the 2010’s, it was probably LastPass. For the security service’s 25.6 million users, though, the company made a worrying announcement last week: A security incident the firm previously reported on November 30 was actually a massive and concerning data breach that exposed encrypted password vaults—the crown jewels of any password manager—along with other user data.
A security engineer who worked at LastPass for more than seven years believes they are doing a crummy job, detecting incidents and preventing issues. I would either look for new options or be looking to see a renewed focus on building trust from their new management team.
With the pandemic evolving into an amorphous new phase and political polarization on the rise around the world, 2022 was an uneasy and often perplexing year in digital security. And while hackers frequently leaned on old chestnuts like phishing and ransomware attacks, they still found vicious new variations to subvert defenses.
For years, Russia has pummeled Ukraine with brutal digital attacks causing blackouts, stealing and destroying data, meddling in elections, and releasing destructive malware to ravage the country’s networks. After invadingUkraine, the times have changed for some of the most dangerous military hackers in Russia. A new, much tighter clip of quick intrusions into Ukrainian institutions and destruction on the network has largely replaced long-term campaigns and cruel hacks. Russian operatives seem to use the same tactic on the battlefield and in cyberspace, one that can cause great pain to the Ukrainian government and its citizens.
Over the summer, a group of researchers dubbed 0ktapus (also sometimes known as “Scatter Swine”) went on a massive phishing bender, compromising nearly 10,000 accounts within more than 130 organizations. Researchers say that the majority of the victim institutions were based in the US. The attackers sent targets messages with malicious links that led to fake login pages for Okta, a single sign-on tool for many digital accounts. They were going to steal Okta credentials so that they could get access to a bunch of accounts at once.
The communications firm was hit by one of the attackers. 163 of its customer organizations were affected by the attack at the beginning of August. Twilio is a big company, so that only amounted to 0.06 percent of its clients, but sensitive services like the secure messaging app Signal, two-factor authentication app Authy, and authentication firm Okta were all in that slice and became secondary victims of the breach. One of the knock-on effects of the incident is that attackers were able to gain access to the accounts of some Twilio customers, since the company offers a platform for automatically sending out text messages.
In recent years, countries around the world and the cybersecurity industry have increasingly focused on countering ransomware attacks. While there has been some progress on deterrence, ransomware gangs were still on a rampage in 2022 and continued to target vulnerable and vital social institutions, including health care providers and schools. Vice Society, a Russian-speaking group, has long specialized in targeting both categories and focused on the education sector this year. The group had a particularly memorable showdown with the Los Angeles Unified School District at the beginning of September, in which the school ultimately took a stand and refused to pay the attackers, even as its digital networks went down. The LAUSD system includes more than 1,000 schools and Vice Society may have bitten off more than they could chew, given the high profile of the system.
The Department of Health and Human Services, FBI, and the US Cybersecurity and Infrastructure Security Agency warned the public of the dangers of the Russia-linked HIVE group in November. The agencies said the group’s ransomware has been used to target over 1,300 organizations around the world, resulting in roughly $100 million in ransom payments from victims. The agencies wrote “From June 2021 through November 2022, threat actors have used Hive ransomware to target a wide range of businesses and critical infrastructure sectors.”
The digital extortion gang Lapsus$ was on an intense hacking spree at the beginning of 2022, stealing source code and other sensitive information from companies like Nvidia, Samsung, Ubisoft, and Microsoft and then leaking samples as part of apparent extortion attempts. Lapsus$ has a sinister talent for phishing, and in March, it compromised a contractor with access to the ubiquitous authentication service Okta. The attackers appeared to be based primarily in the United Kingdom, and at the end of March, British police arrested seven people in association with the group and charged two at the beginning of April. The group went back to its old ways in September, going after ride-share platforms and the developer of Grand Theft Auto. On September 23, police in the UK arrested a 17-year-old in Oxford who they say is one of the individuals arrested in March in connection with Lapsus$.