LastPass, the password storage service, has just revealed that customer information was accessed during the hack of their data that occurred at the end of August 2022. The data was stored with a 3rd-party cloud storage provider.
Previously they had said that it was “limited to the LastPass Development environment in which some of our source code and technical information was taken.”
In an email late last night (December 1, 2022) LastPass said “We have determined that an unauthorized party, using information obtained in the August 2022 incident, was able to gain access to certain elements of our customers’ information.”
Here’s the full email:
Dear valued customer,
The Internet Patrol is completely free, and reader-supported. Your tips via CashApp, Venmo, or Paypal are appreciated! Receipts will come from ISIPP.
CashApp us
Venmo us
Paypal us
In keeping with our commitment to transparency, we wanted to inform you of a security incident that our team is currently investigating.
We recently detected unusual activity within a third-party cloud storage service, which is currently shared by both LastPass and its affiliate, GoTo. We immediately launched an investigation, engaged Mandiant, a leading security firm, and alerted law enforcement.
We have determined that an unauthorized party, using information obtained in the August 2022 incident, was able to gain access to certain elements of our customers’ information. Our customers’ passwords remain safely encrypted due to LastPass’s Zero Knowledge architecture.
We are working diligently to understand the scope of the incident and identify what specific information has been accessed. As part of our efforts, we continue to deploy enhanced security measures and monitoring capabilities across our infrastructure to help detect and prevent further threat actor activity. In the meantime, we can confirm that LastPass products and services remain fully functional. As always, we recommend that you follow our best practices around the setup and configuration of LastPass, which can be found here.
As is our practice, we will continue to provide updates as we learn more. Please visit the LastPass blog for the latest information related to the incident: https://blog.lastpass.com/2022/11/notice-of-recent-security-incident/.
We thank you for your patience while we work through our investigation.
Sincerely,
The Team at LastPass
What is a bit baffling, we mean besides a company entrusted with keeping safe the passwords of millions of people off-servering it onto a 3rd-party cloud provider, is that the email came very late in the evening on Thursday, December 1, even though the blog post announcing it is dated November 30th. It’s almost as if they wanted to wait until Friday (the traditional day for releasing bad news because far fewer people are likely to see it) but couldn’t really justify waiting two whole days, so sent the email out late Thursday night.
Of course, LastPass is not the only company entrusted with sensitive user data to store that data on a 3rd-party cloud storage system. A few years ago there was a massive data breach compromising the personal data of customers of all sorts of stores for whom Capital One issues credit cards, which data was stored on Amazon cloud servers. As we always say, “the cloud” is just a another term for “somebody else’s computer system”, which means that someone you entrust to keep your personal data safe is shoving it on to someone else’s computer system and trusting them to keep it safe, often without even letting you know in any meaningful clear way that, to use the latter as an example, when you give Capital One your personal information, they are going to store it offsite, at Amazon.
And how does that make you feel?
The Internet Patrol is completely free, and reader-supported. Your tips via CashApp, Venmo, or Paypal are appreciated! Receipts will come from ISIPP.
CashApp us
Venmo us
Paypal us
