Major Online Password Service Compromised

Aug 27, 2022

black hat

LastPass has been compromised. It’s good that they’re disclosing it in relatively short order. You might say it was the keys to the kingdom that were stolen. Someone pilfered ‘portions’ of their source code, and some proprietary technical information. It has not been revealed what ‘some’ or ‘portions’ actually means.

The source code and the proprietary technical information gives a potential hacker the ability to better understand how LastPass works and have a better idea as to how to exploit the service.

Could this be worse than a password database exfiltration? It all depends on what was in that source code and the technical information.

With a lot of our data being in the cloud, we should be vigilant about which companies have our data, how they store it, …

There is a lot of news over the past several years about unsecured AWS S3 data buckets having unencrypted credentials stored in them, ransomware running roughshod over organizations, …  It is surprising to hear of proprietary technical information, and source code for a security-focused business being stored on publicly accessible servers.

Ultimately in a security-focused organization, the source code and technical information should be on air gapped networks. In a non security-focused organization, the developer accounts should at a minimum be 2FA-secured, but it seems in this case it was only secured by a password. It’s not clear how the hackers gained access (brute-force or social engineering) to the account, either. In this case, the security-focused organization is not really setting a good example for the rest of us.

Organizations can learn a lot from this. The question is, will they?

Looking for an IT company, or have a problem today that requires a quick solution?

Let us help guide you on the easy stuff and do the heavy lifting on the more difficult stuff.

Complete the form below and one of our team will help you out.

Recent Posts

Thought Your Files Were Safe in the Cloud?

Security experts have advocated for years that you should have your Office 365 and/or Google Workplace files backed up to a third party backup service. You run the risk of getting hit by ransomware, a rogue employee can delete or corrupt your flies, or someone can...

read more