It may not be a secret… but was I have been largely ambivalent to LastPass. Although, some years ago, I Tweeted several times about security issues. There have been numerous issues since then (see below). The thing is that, as I sometimes say, “you don’t know what you don’t know”.
It may be that LastPass is more diligent and open with the issues they have had,
LastPass has more issues than competitors,
Other companies don’t tell us about the issues they have seen.
You pick. Will you give them a pass, or start to look elsewhere.
(Parenthetically [are you supposed to say that or just use parenthesis], this very issue is one of the reasons why Open Source can be so attractive… it gets continually “vetted” by the community.)
I want to inform you of a development that we feel is important for us to share with our LastPass business and consumer community.
Two weeks ago, we detected some unusual activity within portions of the LastPass development environment. After initiating an immediate investigation, we have seen no evidence that this incident involved any access to customer data or encrypted password vaults.
We have determined that an unauthorized party gained access to portions of the LastPass development environment through a single compromised developer account and took portions of source code and some proprietary LastPass technical information. Our products and services are operating normally.
In response to the incident, we have deployed containment and mitigation measures, and engaged a leading cybersecurity and forensics firm. While our investigation is ongoing, we have achieved a state of containment, implemented additional enhanced security measures, and see no further evidence of unauthorized activity.
Based on what we have learned and implemented, we are evaluating further mitigation techniques to strengthen our environment. We have included a brief FAQ below of what we anticipate will be the most pressing initial questions and concerns from you. We will continue to update you with the transparency you deserve.
Thank you for your patience, understanding and support.
The United States Federal Communications Commission issued an alert to the increasing onslaught of smishing (SMS phishing) attacks attempting to steal personal data and money. You know it’s bad when flags are being raised at this level.
Why Is Smishing So Effective?
Hackers trick individuals to enter sensitive information by crafting text messages about bank problems, unclaimed bills, package delivery issues, and law enforcement actions.
We’ve observed the most successful campaigns using simple website redirects to impersonate bank and services websites to con individuals into entering credentials and/or MFA codes. In some cases, attackers are also spoofing where the message is coming from, attempting to add legitimacy to the message.
With the credentials, account information, and multifactor codes, threat actors gain access to accounts to make fraudulent purchases, transfer money, steal identify information, or simply sell account access to other criminals.
If you simply click the links contained within the messages, you get added to a list of people who have live numbers and follow these links. That allows hackers to further target you. Dangers are elevated when individuals supply threat actors with any additional data, including credentials or MFA codes.
The FCC recommends taking the following measures to defend against these kinds of attacks:
Do not respond to texts from unknown numbers or any others that appear suspicious.
Never share sensitive personal or financial information by text.
Lookout for misspellings or texts that originate from an email address.
Think twice before clicking any links in a text message.
If a friend sends you a text with a suspicious link that seems out of character, call them to ensure they weren’t hacked.
If a business sends you a text you weren’t expecting, look up their number online and call them back.
Remember that government agencies almost never initiate contact by phone or text.
Report texting scam attempts to your wireless service provider by forwarding unwanted texts to 7726 (or “SPAM”).
File a complaint with the FCC.
We continue to monitor the situation with additional novel techniques.
Mozilla has released security updates to address vulnerabilities in Firefox, Firefox ESR, and Thunderbird. An attacker could exploit some of these vulnerabilities to take control of an affected system.
Apple has released security updates to address vulnerabilities in MacOS, iOS and iPhone. These updates address vulnerabilities attackers could exploit to take control of affected systems.
Stop what you are doing and update as soon as possible. See Apple security updates for more info.
