LastPass Breach Is Looking Worse

Carly Page, reporting for TechCrunch:

The breach was first confirmed by LastPass on November 30. At the time, LastPass chief executive Karim Toubba said an “unauthorized party” had gained access to some customers’ information stored in a third-party cloud service shared by LastPass and GoTo. The attackers used information stolen from an earlier breach of LastPass systems in August to further compromise the companies’ shared cloud data. GoTo, which bought LastPass in 2015, said at the time that it was investigating the incident.

Now, almost two months later, GoTo said in an updated statement that the cyberattack impacted several of its products, including business communications tool Central; online meetings service Join.me; hosted VPN service Hamachi, and its Remotely Anywhere remote access tool.

GoTo said the intruders exfiltrated customers’ encrypted backups from these services — as well as the company’s encryption key for securing the data.

This breach now sounds like a company covering its ass. LastPass users should consider everything they stored in LastPass tainted.

Tuesday, 24 January 2023