The company listed a number of security improvements it has made since the August incident, including completely rebuilding its development environment and rotating all credentials and certificates that may have been impacted. The company has contacted about 3% of its business customers that use less secure configurations to advise them of actions they should take to remain secure. LastPass also noted that business customers using its Federated Login Services are at no special risk the attackers did not have access to the stored key fragments necessary to access the hidden master password this system employs. However, it will be important to check for password re-use among these stored credentials. There is the possibility that password vaults may be cracked via “brute force” guessing techniques, but customers are able to negate this by changing their master password and stored passwords. LastPass says that credit card and payment data was not accessed, however. And in terms of the password vaults, the thieves can see the URLs for which passwords are stored. This includes basic customer account and contact information: real names and user names, billing and email addresses, phone numbers, and IP addresses. Though the primary public concern will naturally center on the stolen password vaults, a more immediate issue is the unencrypted information connected to each vault. Stolen password vaults were encrypted, but concerning vulnerabilities remain LastPass and GoTo say that they are still investigating the issue and have not yet released complete information on the incident, but Amazon has previously revealed that it hosts a billion of the company’s customer records on AWS servers. Information stolen from that earlier breach was used to access third-party cloud storage shared by LastPass and parent company GoTo. The November breach was a follow-on from a separate August breach.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |