![]() As part of our ongoing containment, eradication, and recovery activities related to the second incident, we have taken the following actions: In response to the second incident, we again mobilized our incident response team and Mandiant. The data accessed from those backups included system configuration data, API secrets, third-party integration secrets, and encrypted and unencrypted LastPass customer data. The threat actor leveraged the vulnerability to deliver malware, bypass existing controls, and ultimately gain unauthorized access to cloud backups. Incident 2 Summary: The threat actor targeted a senior DevOps engineer by exploiting vulnerable third-party software. Rotated all relevant cleartext secrets used by our teams and any exposed certificates.ĭetails of the first incident and our remediation actions can be found here.Deployed additional security technologies and controls to supplement existing controls.Removed the development environment and rebuilt a new one to ensure full containment and eradication of the threat actor. ![]() As part of the containment, eradication, and recovery process, we took the following actions: ![]() In response to the first incident, we mobilized our internal security teams, as well as resources from Mandiant. We declared this incident closed but later learned that information stolen in the first incident was used to identify targets and initiate the second incident. No customer data or vault data was taken during this incident, as there is no customer or vault data in the development environment. Incident 1 Summary: A software engineer’s corporate laptop was compromised, allowing the unauthorized threat actor to gain access to a cloud-based development environment and steal source code, technical information, and certain LastPass internal system secrets. There has been no contact or demands made, and there has been no detected credible underground activity indicating that the threat actor is actively engaged in marketing or selling any information obtained during either incident. To date, however, the identity of the threat actor and their motivation remains unknown. We have shared technical information, Indicators of Compromise (IOCs), and threat actor tactics, techniques, and procedures (TTPs) with law enforcement and our threat intelligence and forensic partners. Rather, the threat actor exploited a vulnerability in third-party software, bypassed existing controls, and eventually accessed non-production development and backup storage environments. Neither incident was caused by any LastPass product defect or unauthorized access to – or abuse of – production systems. The two incidents that we disclosed last year affected LastPass and our customers. WHAT HAPPENED AND WHAT ACTIONS DID WE TAKE? If you would prefer to skip ahead to review LastPass’s recommended actions for protecting your account or your business, please click here for consumers or click here for business administrators. In sharing these additional details today, and in our approach going forward, we are determined to do right by our customers and communicate more effectively. The length of the investigation left us with difficult trade-offs to make in that regard, but we understand and regret the frustration that our initial communications caused for both the businesses and consumers who rely on our products. We have heard and taken seriously the feedback that we should have communicated more frequently and comprehensively throughout this process. Given the volume of information we are sharing today, we have structured this update with summaries that include embedded links to provide more detailed information on each topic. We are privileged to serve millions of users and more than 100,000 businesses, and we want to ensure that all of our customers have the information they need to answer their questions. What actions should you take to protect yourself or your business?. ![]()
0 Comments
Leave a Reply. |