More Details of LastPass Breach: Hackers Used Stolen Encryption Key

A breach at LastPass is the gift that keeps on giving—or taking, depending on your perspective. LastPass parent company GoTo raised the alarm this week that, in addition to stealing encrypted backups containing customer data, hackers nicked an encryption key last November.

“An unauthorized party gained access to a third-party cloud-based storage service, which LastPass uses to store archived backups of our production data,” said an alert at that time, which provided additional information on a breach discovered the previous August.

Based on our investigation to date, we have learned that an unknown threat actor accessed a cloud-based storage environment leveraging information obtained from the [August] incident,” the alert noted. “Some source code and technical information were stolen from our development environment and used to target another employee, obtaining credentials and keys which were used to access and decrypt some storage volumes within the cloud-based storage service.” 

In the latest update, GoTo CEO Paddy Srinivasan said the company’s investigation showed the threat actor had “exfiltrated encrypted backups from a third-party cloud storage service related to the following products: Central, Pro, join.me, Hamachi and RemotelyAnywhere.”

The stolen encryption key could unlock a portion of the backups. “The affected information, which varies by product, may include account usernames, salted and hashed passwords, a portion of multifactor authentication (MFA) settings, as well as some product settings and licensing information,” Srinivasan wrote. “In addition, while Rescue and GoToMyPC encrypted databases were not exfiltrated, MFA settings of a small subset of their customers were impacted. “

So far, the company hasn’t uncovered evidence that data was exfiltrated from other GoTo products or production systems.

GoTo has taken steps to mitigate the risk posed by the breach. “Even though all account passwords were salted and hashed in accordance with best practices, out of an abundance of caution, we will also reset the passwords of affected users and/or reauthorize MFA settings where applicable,” Srinivasan said. “In addition, we are migrating their accounts onto an enhanced Identity Management Platform, which will provide additional security with more robust authentication and login-based security options.”

Noting that “there is an inherent risk involved anytime a company outsources its offerings to customers, especially in the case of data storage on the cloud,” Darren Guccione, CEO and co-founder at Keeper Security, said, “When the organization does not own and operate the infrastructure that runs its cloud-based resources, not only does that organization lack control, but it has reduced visibility in the event of an emergency such as a data breach, which could hamper incident response.”

Consumers, he said, put “their trust in an organization to handle their data with the utmost security; when the organization fails to do this, it understandably breaks that trust.”

“Backups are critical for organizations, but can be overlooked in day-to-day security operations, and therefore, not protected with the same fervor as live data,” added Guccione. “This can be a costly mistake.”

Although organizations may feel that “spreading backups across multiple clouds, third-party storage vendors or backup providers” protects them better, he said, “the reality is that the organization may be increasing their risk of that data being breached.”

Those that do “use multiple third-party vendors to store their backup data must ensure strict security measures are implemented to encrypt and protect it,” Guccione explained.

GoTo and LastPass drew criticism for the way communications about the breach were handled. “A breach never kills any company or ends careers. However, a bad response to an incident does,” said John Bambenek, principal threat hunter at Netenrich. “I have lost track of how many updates to this incident there have been that only increase the impact of the breach.”

“Customers want to know a company has a handle on their response and going back to revise what has happened repeatedly destroys that confidence,” said Bambenek.

“Reputation takes great effort to build, but it can be destroyed quickly,” he said. “This appears to be the outcome that we’re going to see here.”

Avatar photo

Teri Robinson

From the time she was 10 years old and her father gave her an electric typewriter for Christmas, Teri Robinson knew she wanted to be a writer. What she didn’t know is how the path from graduate school at LSU, where she earned a Masters degree in Journalism, would lead her on a decades-long journey from her native Louisiana to Washington, D.C. and eventually to New York City where she established a thriving practice as a writer, editor, content specialist and consultant, covering cybersecurity, business and technology, finance, regulatory, policy and customer service, among other topics; contributed to a book on the first year of motherhood; penned award-winning screenplays; and filmed a series of short movies. Most recently, as the executive editor of SC Media, Teri helped transform a 30-year-old, well-respected brand into a digital powerhouse that delivers thought leadership, high-impact journalism and the most relevant, actionable information to an audience of cybersecurity professionals, policymakers and practitioners.

teri-robinson has 196 posts and counting.See all posts by teri-robinson