This customer data, Toubba wrote, included "company names, end-user names, billing addresses, email addresses, telephone numbers, and the IP addresses from which customers were accessing the LastPass service." The threat actor also obtained a backup of customer vault data that included encrypted website usernames and passwords as well as unencrypted data like website URLs. These keys, which included dual storage container decryption keys and a cloud storage access key, were used to access and copy customer information from backup. 22 blog post update.Īccording to the CEO, an unnamed threat actor used stolen source code and technical data from the August breach to target another employee and steal credentials and keys. At the time, Toubba said only that an unauthorized party had leveraged information obtained in the August 2022 breach to gain access to "certain elements of our customers' information." It was this incident that was detailed in the Dec. 30 update to the post referenced a recent "security incident" that was currently under investigation. 15 update provided additional technical details, while a Nov. As a result, "portions of source code and some proprietary LastPass technical information" were stolen.Ī Sept. 25, LastPass CEO Karim Toubba wrote that an "unauthorized party" gained access to the LastPass development environment by compromising a developer account. 22 to its blog post disclosing August's security breach. The password manager published an update on Dec.
0 kommentar(er)
