Notice of Recent Security Incident - The LastPass Blog
Ingalls Information Security
Enabling Innovation Through Better Cyber Risk Management
Check out recent news and resources to stay informed about what's happening in cybersecurity.
FEATURED ARTICLE
LastPass has determined that an unauthorized party, using information obtained in the August 2022 incident, was able to gain access to certain elements of their customers’ information. They state that their customers’ passwords remain safely encrypted due to LastPass’s Zero Knowledge architecture. (LastPass)
EXPERT TAKE
“Earlier this month, threat actors were able to use information obtained from the August 2022 LastPass breach to access cloud storage used by LastPass and GoTo. LastPass maintains that there's no evidence the most recent incident resulted in access to customer data or encrypted password vaults. However, LastPass explains that in this breach, the threat actor had access to portions of their development environment and obtained source code and proprietary technical information. While customer password vaults may not currently be compromised, the risk here is that the source data and technical information may be useful to threat actors in finding and exploiting vulnerabilities within LastPass or GoTo products that may be used to compromise password vaults or customer environments in the future.”
— Cyrus Robinson, SOC Director at?Ingalls Information Security ?
NEWS ROUNDUP
Congress is poised to vote in coming days on an $858 billion annual defense policy bill that contains significant spending increases for U.S. Cyber Command and other efforts to bolster national cybersecurity defenses. (CyberScoop)
领英推荐
InfraGard, a program run by the U.S. Federal Bureau of Investigation (FBI) to build cyber and physical threat information-sharing partnerships with the private sector, this week saw its database of contact information on more than 80,000 members go up for sale on an English-language cybercrime forum. Meanwhile, the hackers responsible are communicating directly with members through the InfraGard portal online — using a new account under the assumed identity of a financial industry CEO that was vetted by the FBI itself. (Krebs on Security)
Apple has rolled out a number of security features that will now offer end-to-end encryption to protect data, including backups, contacts, notes, photos, and wallet passes. The company also announced hardware Security Keys for Apple ID. (Computerworld)
Indiana sued Chinese-owned short-video sharing app TikTok on Wednesday over allegations that it is deceiving users about China's access to their data and exposing children to mature content. The office of Indiana Attorney General Todd Rokita, said the popular app, owned by ByteDance, violates the state's consumer protection laws by not disclosing the Chinese government's potential to access sensitive consumer information. (Reuters)
The term ‘Magnet of Threats’ is used to describe targets so desirable that multiple threat actors regularly cohabitate on the same victim machine in the course of their collection. In the process of responding to a series of tangled intrusions at one of these Magnets of Threats, SentinelLabs researchers encountered an entirely new threat actor: ‘Metador’.
?Metador’s intrusions were located primarily in telcos, ISPs, and universities in the Middle East and Africa, but that is likely only a small portion of the operations of what is clearly a long-running threat actor of unknown origin. (SentinelOne)