LastPass

A recent security breach at password management service LastPass was the result of one of its engineers failing to update a movie streaming app on their home computer. Thus is a sobering reminder of the dangers of failing to keep software up to date and business and personal software separate.

It appears unknown hackers leveraged information stolen from an incident that took place in August last year and a second attack between August and October 2022.

The attack enabled the hacker to steal partially encrypted password vault data and customer information. The second attack specifically singled out one of the DevOps engineers, targeting their home computer with a keylogger malware to obtain the credentials and breach the company’s cloud storage.

This is said to have been made possible by exploiting an (old now-patched) flaw in the streaming software to achieve code execution on the engineer’s computer.

The vulnerability was a flaw impacting the streaming server on Windows that allowed a remote, authenticated attacker with access to the engineer’s streaming account to upload a malicious file.

This happened because the engineer had work software on his home computer AND hadn’t upgraded one piece of software. The relevant update was made available 3 years ago in this particular case.

There are some important lessons from this case:

  1. Only use a company owned, or business only computer for work and never install personal software on this device.
  2. Keep ALL software up to date.

This type of hack can be avoided. At Trichromic we use a private password server which is fully controlled by us. If you have concerns over the vulnerability of remote access to your business data, why not speak with one of our friendly specialists for advice. They can be contacted on 020 3327 0310