LastPass has confirmed that hackers have gained access to a third-party cloud storage service that contained customer data, although no user passwords were compromised. The hacking incident is linked to the security breach that occurred in August 2022.
In August, a hacker successfully compromised a developer account that provided access to the LastPass developer environment. Source code and proprietary technical information were stolen, although no user information was compromised, and password vaults remained secure.
The latest announcement by LastPass CEO Karim Toubba is about a separate incident. Information stolen in the August breach allowed access to be gained to a third-party storage service that is shared by LastPass and its affiliate, GoTo (formerly LogMeIn). GoTo issued a similar breach notification in the past few days.
LastPass said both incidents were investigated promptly, with assistance provided by the cybersecurity firm Mandiant. The investigation into the breach is ongoing, but it has been confirmed that access was gained to some portions of the information of its customers. The types of information compromised have yet to be publicly disclosed.
Password managers are naturally a target for hackers as they are used to store the entire collection of passwords of their customers. LastPass is naturally a target being one of the most popular password managers. The company claims to have 33 million registered customers and serves more than 100,000 businesses. For security reasons, password managers typically are based on zero-knowledge architecture. That means that the password manager provider does not have access to customers’ encrypted password vaults. As was the case in the August breach, Toubba stressed that “Our customers’ passwords remain safely encrypted due to LastPass’s Zero Knowledge architecture.”
Despite being a target for hackers, using a password manager is still considered to provide better security than not using one, as they allow users to improve their password practices and set unique, complex passwords for each account and avoid password reuse on multiple platforms. Naturally, a very strong password should be set for the master password that secures password vaults, and 2-factor authentication should be implemented.
Earlier this month, LastPass released a Psychology of Passwords report which suggested that while security awareness training programs are being increasingly provided by businesses, they do not appear to be having much of an effect on eradicating poor password practices such as password reuse. Respondents to the survey claimed to be aware of password risks but were choosing convenience over security and were still reusing passwords on multiple platforms and engaging in poor password practices. Passwordless authentication can solve these password problems, but until the technology is implemented, password managers are the best solution for improving password security as they make it easier to follow password best practices.
The post LastPass Confirms Customer Data Breached in Hacking Incident appeared first on HIPAA Journal.