Last Updated: February 28, 2023, 18:11 IST
LastPass reported multiple data breaches that it claims did not leak user passwords but was concerning for everyone involved. Now this week the company has come out with another update that makes you question its security practices. The hackers who exposed and accessed the LastPass private key also managed to bypass the home computer of one of their DevOps engineers.
LastPass explains that the PC was invaded by a keylogger in the software which allowed the attacker to get hold of the engineer’s master password that gives them access to the LastPass corporate vault. Using this access, they were able to find the decryption keys that can be used to unlock the customer password vault backups.
The latest details suggests LastPass was battling a mass attack that was first used to breach the main vault and then attack one of its engineers to pick up the backup vault with the data of its customers. The first attack was confirmed by LastPass in August last year, when it said that hackers stole parts of the company’s source code and other sensitive data.
But the company assured that its user’s passwords were unaffected. If that wasn’t enough, the attacker used the existing flaw to breach LastPass systems once again in December last year, and yet again mention that the passwords of its users are safe.
Safe to say that the latest update changes the narrative, especially when the bad actors have been able to breach the computer of one of LastPass engineers, giving them a wider access to confidential data.
Having decryption keys is never an ideal situation and people will now be wondering how can a home PC of an engineer working with a password manager brand be hacked, and if that did happen, what kind of security does LastPass offer to its customers, let alone its own employees. People will also start considering moving to other platforms after seeing the repeated nature of attacks on LastPass in a short time.
LastPass, which counts more than 25 million users, works by aggregating the hundreds of passwords consumers and corporate users need to log into their social media accounts, business networks, online retailers and more.
Read all the Latest Tech News here