(Source: decades of designing, building and delivering multi-tier software) Just because the data is different (fake) doesn’t mean a huge amount can be learnt from the dev environment. (Without them giving any insight as to what that info was - it’s at least reasonable to be concerned).ĭev environments are kept as similar to production as possible to provide effective testing. Further, they mention proprietary technical information - again this may have been accessed from a dev environment, but some of that information is almost certainly relevant to the production environment. Yes, they presumable did not have access to live data, but the code that was stolen is certainly in production (or at least the significant majority of it), even if they got a development copy, due to the nature of code - the dev code and production core are largely identical, save for recent modifications. The dev vs production is something of a red herring here. (Otherwise they’re entirely inexcusable). I’m sorry I wasn’t more explicit, I think it’s reasonable to expect each security breach should be of a different nature, and certainly through a different vector. They were ‘different’ to this breach (presumably, as we don’t have sufficient detail). I’ve been a paying lastpass customer for many years and there have been several that have been widely reported. I was referring to the previous security breaches, the last in Dec 21, which are easily found on Google, et al. (not that it makes it better… just trying to understand what “this isn’t the first time” means) Have a link to a previous time their dev environment was compromised like this? I know they had breaches of data from their production networks in the past, but different kind of attack/breach than this one. It’s a reasonable concern that the server code has been exposed, which removes the “security by obscurity” ‘advantage’ of closed source - which is the point I made. You can only reverse engineer client side code without server access. I forgot about server software, yeah, that’s completely opaque Proprietary software that loses obscurity has only downsides compared to an OS solution - that can at least be independently evaluated and monitored by security researchers. However unimportant, it is inarguable their security has been reduced. The lack of visibility of LastPass’s source (and proprietary info) gave them some protection that is now gone. One advantage of OS software is there is no presumption of security through obscurity. Just because they don’t believe user data has been compromised yet they don’t give any indication that allows us to be confident that the exposure won’t facilitate future hacks. Ultimately, we have to assume they got hacked because someone wanted to compromise their security. I get the desire not to divulge too much sensitive info, however, there’s some real questions left unanswered.įirstly, the “proprietary technical info” could be anything, including private keys, connection/endpoint info, known vulnerabilities, etc. I promise you guys if I have more information about this I let you know.Īnd about the disabled auto renewal call billing let them do it we have a bug with that feature and we were ready to update but due this problem it's delayed. There's not risk for our customers at the moment. Up to this point the security firm and the team was able to identify the source of the breach and also stop any potential damage to our codding infrastructure. The breach was reported around 11:30 EST about 30 minutes later I was running around with the rest of the development team trying to find our what happened.ġ2:30 we inform the support team and the marketing team so they can start sending emails and creating a blog to inform our customer.ġ:30 our operations in customer support billing and tech stops since we proceed to an emergency meeting to provide information to our agents.Ģ:00PM The blog and the emails were ready and sent to all our customers. Not possible guys, I'm a level 3 agent from LP and let me explain you an inside from this security breach:
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |