Discussion

• @dcuthbert Daniel Cuthbert on x

  Lastpast attack chain via home media centre of senior dev. Sssh, can you hear that? That's the sound of a shitload of threat models being redone.

• @shipilev @shipilev on x

  I am so concerned about this scenario, that on my new job, the plan is to ditch BYOD in favor of corporate hardware that is firewalled from the rest of the network. Public work on home computers is fine, touching anything private is asking for big oof. https://arstechnica.com/...

• @_mg_ @_mg_ on x

  4 people who have access to “the keys to the kingdom”. At least 1 of them was accessing them from a home computer. For how long without anyone noticing? If that didn't raise flags, then it won't for an attacker either. Helping them harden their home network is nice, but there... …

• @ahess247 Arik Hesseldahl on x

  Dear @1Password: I do hope you're taking notes. https://www.techmeme.com/...

• @_mg_ @_mg_ on x

  New details on the 2nd LastPass incident are fun: - got into Sr DevOp's home via vuln media software - installed keylogger - got master pass to corp vault (seemingly because it was being accessed from home computer) Cool to see that LastPass is sharing https://support.lastpass.co…

• @kimzetter Kim Zetter on x

  LastPass employee's home computer hacked and intruders stole decrypted vault. “Among other things, the vault gave access to a shared cloud-storage environment that contained the encryption keys for customer vault backups stored in Amazon S3 buckets” https://arstechnica.com/...

• @rajsarkar Raj Sarkar on x

  “The company says they have since updated their security posture, including rotating sensitive credentials and authentication keys, revoking certificates, adding additional logging and alerting, and enforcing stricter security policies.” Shouldn't this be standard practice? https…

• @peterktodd @peterktodd on x

  “The attacks seen here could happen to any company.” Using Qubes to isolate different environments would probably have prevented this. Also, why is a security-critical company allowing work-from-home? https://twitter.com/...

• @ippsec @ippsec on x

  @_MG_ Probably wrong, but man what a big coincidence that a media software package was attributed to the LastPass breach on Aug 12. And ~2 weeks later Plex announced a big breach. https://techcrunch.com/...

• @binitamshah Binni Shah on x

  Lastpass Quietly indicates that Enterprise Users' K2s were accessed : https://support.lastpass.com/ ... Additional details of the attack on LastPass : https://support.lastpass.com/ ...

• @lukolejnik Lukasz Olejnik on x

  It's good that more details about LastPass breach are posted. “targeted LastPass infrastructure, resources, employee ... valid credentials stolen from a senior DevOps engineer [used] to access a shared cloud-storage environment”. Employee home computer. https://support.lastpass.c…

• @weldpond Chris Wysopal on x

  “by targeting the DevOps engineer's home computer and exploiting a vulnerable third-party media software package, which enabled remote code exec” I wonder what security controls were on that computer. https://arstechnica.com/...

• @_mg_ @_mg_ on x

  Just to be clear: while there is plenty to criticize about the LastPass product, the transparency of what was posted today is great. It actually gives me some hope that I didn't previously have. The attacks seen here could happen to any company. Most would have handled it much...…

• @bleepincomputer @bleepincomputer on x

  As part of today's disclosure, LastPass also released a complete list of the wide and varied data that was accessed by the threat actors. https://twitter.com/...

• @_mg_ @_mg_ on x

  Does your Red Team get to target people's home computers and networks? I am guessing that a great big “nope” for almost every company I know of.

• @arekfurt @arekfurt on x

  Again, I feel compelled to praise LastPass for their transparency here. While criticizing them for their security absolutely sucking. A engineer with access to important keys for encrypted data in protected data got them stolen when *his personal computer* was compromised. 🤦🤦 htt…

• @jcran @jcran on x

  Some good lessons in here, and nice to see @lastpass opening up about the incident. Cold hard truth is that this could easily be almost any SaaS company on the receiving end. https://twitter.com/...

• @gchampeau Guillaume Champeau on x

  “LastPass says one of its DevOps engineers had a personal home computer hacked and implanted with keylogging malware as part of a sustained cyberattack that exfiltrated corporate data from the cloud storage resources.” https://www.securityweek.com/ ...

• @dcuthbert Daniel Cuthbert on x

  The attack chain here is actually very good and raises a lot of concerns surrounding wfh, network design etc https://support.lastpass.com/ ... Kudos to @LastPass as this is proper transparency and many will learn from this. Thank you

• @silvermanjacob Jacob Silverman on x

  Also this is a pretty shitty thing to do for LastPass users who might want to find out info about a catastrophic hack. https://www.bleepingcomputer.com/ ... https://twitter.com/...

• @uk_daniel_card @uk_daniel_card on x

  The last pass for LastPass?? https://twitter.com/...

• @crankysysad @crankysysad on x

  It looks like a Senior DevOps Engineer at LastPass got popped after accessing corporate data on their personal workstation, which was also running Plex. I'm skeptical. Was it REALLY Plex or was their personal machine just cracked from torrenting? https://arstechnica.com/...

• @barnacules @barnacules on x

  I REALLY hope you all listened to me when I told you to leave @LastPass & change all of your passwords a few weeks ago otherwise you're about to go thought he same thing I did if you're not already doomed 🔥 https://arstechnica.com/... #Hacked #LastPass #Breach #Security

• @karissabe Karissa Bell on x

  Another example of how you can do everything “right” and still be screwed bc the companies that are supposed to be protecting us utterly fail to anticipate all the ways they may be exploited https://arstechnica.com/...

• @adamnash Adam Nash on x

  At some point, there's not much that crisis comms can do for you. 🤷‍♂️ https://arstechnica.com/...

• @_mg_ @_mg_ on x

  It was Plex. They exploited Plex to get into the home network, installed a keylogger on a home laptop, and got the corp vault password because the home laptop was logging into it. Targeted high value employee shortly after the https://arstechnica.com/...... https://twitter.com/..…

• @zquestz Josh Ellithorpe on x

  Don't use LastPass. Migrate to alternatives. https://arstechnica.com/...

• @alice_comfy Alice on x

  lastpass: We're going to take advantage of Twitter blue longer posts and backup our users vaults on our twitter account. We think this provides a good balance between security and convenience. Simply advance search your username on our account to log in. https://twitter.com/...

• @dragosr @dragosr on x

  It's all attack surface. LastPass attackers, after being discovered, pivoted to DevOps engineer's home computer, keylogged, pivoted into secrets repositories, AWS keys. Many lessons here. Thanks @ryanaraine https://www.securityweek.com/ ...