"Password managers are a safe and effective tool for businesses and the public to manage their numerous login details and we continue to encourage their use. However, as is clear from this incident, businesses offering these services should ensure that system access and use is restricted to ensure risks of attack are significantly reduced. LastPass customers had a right to expect the personal information they entrusted to the company would be kept safe and secure."
"The first of two security failures occurred when an attacker compromised a company software developer's work-issued MacBook Pro, accessed the corporate development environment and related technical documentation, and exfiltrated 14 out of around 200 LastPass source code repositories. The attacker was caught after triggering an AWS security alert after they tried to manipulate access management commands that the software developer's account did not have permission to alter."
The Information Commissioner's Office fined LastPass £1.2 million after two 2022 security failures exposed personal data of up to 1.6 million UK users. An attacker compromised a developer's work-issued MacBook Pro, accessed the corporate development environment and exfiltrated 14 of roughly 200 source code repositories. The stolen source code contained unencrypted company credentials and encrypted production credentials, including backups and the server-side encryption with customer-provided key (SSE-C) used for AWS S3 buckets. The attacker triggered an AWS alert when attempting unauthorized access-management changes, while a postmortem could not determine how the MacBook was initially compromised.
Read at Theregister
Unable to calculate read time
Collection
[
|
...
]