Two weeks ago, the password manager giant LastPass disclosed its systems were compromised for a second time this year.
Back in August, LastPass found that an employee’s work account was compromised to gain unauthorized access to the company’s development environment, which stores some of LastPass’ source code. LastPass CEO Karim Toubba said the hacker’s activity was limited and contained, and told customers that there was no action they needed to take.
Fast-forward to the end of November, and LastPass confirmed a second compromise that it said was related to its first. This time around, LastPass wasn’t as lucky. The intruder had gained access to customer information.
In a brief blog post, Toubba said information obtained in the August incident was used to access a third-party cloud storage service that LastPass uses to store customer data, as well as customer data for its parent company GoTo, which also owns LogMeIn and GoToMyPC.
But since then, we’ve heard nothing new from LastPass or GoTo, whose CEO Paddy Srinivasan posted an even vaguer statement saying only that it was investigating the incident, but neglected to specify if its customers were also affected.
GoTo spokesperson Nikolett Bacso-Albaum declined to comment.
Over the years, TechCrunch has reported on countless data breaches and what to look for when companies disclose security incidents. With that, TechCrunch has marked up and annotated LastPass’ data breach notice 🖍️ with our analysis of what it means and what LastPass has left out — just as we did with Samsung’s still-yet-unresolved breach earlier this year.
What LastPass said in its data breach notice
LastPass and GoTo share their cloud storage
A key part of why both LastPass and GoTo are notifying their respective customers is because the two companies share the same cloud storage 🖍️.
Neither company named the third-party cloud storage service, but it’s likely to be Amazon Web Services, the cloud computing arm of Amazon, given that an Amazon blog post from 2020 described how GoTo, known as LogMeIn at the time, migrated more than a billion records from Oracle’s cloud to AWS.
It’s not uncommon for companies to store their data — even from different products — on the same cloud storage service. That’s why it’s important to ensure proper access controls and to segment customer data, so that if a set of access keys or credentials are stolen, they cannot be used to access a company’s entire trove of customer data.
If the cloud storage account shared by both LastPass and GoTo was compromised, it may well be that the unauthorized party obtained keys that allowed broad, if not unfettered, access to the company’s cloud data, encrypted or otherwise.
LastPass doesn’t yet know what was accessed, or if data was taken
In its blog post, LastPass said it was “working diligently” to understand what specific information 🖍️ was accessed by the unauthorized party. In other words, at the time of its blog post, LastPass doesn’t yet know what customer data was accessed, or if data was exfiltrated from its cloud storage.
It’s a tough position for a company to be in. Some move to announce security incidents quickly, especially in jurisdictions that obligate prompt public disclosures, even if the company has little or nothing yet to share about what has actually happened.
LastPass will be in a far better position to investigate if it has logs it can comb through, which can help incident responders learn what data was accessed and if anything
