LastPass
Company Details
Linkedin ID:
lastpass
Website:
Employees number:
794
Number of followers:
39,994
NAICS:
541514
Industry Type:
Homepage:
lastpass.com
IP Addresses:
0
Company ID:
LAS_1127340
Scan Status:
In-progress
LastPass Company CyberSecurity Posture
lastpass.com
LastPass is a leading identity and password manager, making it easier to log in to life and work. Trusted by 100,000 businesses and millions of users, LastPass combines advanced security with effortless access for individuals, families, small business owners, and enterprise professionals. With LastPass, important credentials are protected and private – and always within reach. Learn more via www.lastpass.com.
LastPass A.I CyberSecurity Scoring
LastPass Risk Score (AI oriented)Between 650 and 699
LastPass
Updated:
- Powered by our proprietary A.I cyber incident model
- Insurance preferes TPRM score to calculate premium
LastPass Global Score (TPRM)XXXX
LastPass
- Instant access to detailed risk factors
- Benchmark vs. industry & size peers
- Vulnerabilities
- Findings
LastPass Company CyberSecurity News & History
Past Incidents
5
Attack Types
2
LastPass
Breach
Rankiteo Explanation
Attack threatening the organization's existence
Description: An unauthorized party gained the access to a cloud-based password security site, LastPass suffered a data security breach that resulted in the theft of certain source codes and technical information. They targeted its development environment. No customer data or encrypted passwords were accessed. Amidst investigated the incident and they engaged the services of a leading cybersecurity and forensics firm and they implemented additional countermeasures.
LastPass
Breach
Rankiteo Explanation
Attack threatening the organization's existence
Description: A cloud-based password security site, LastPass suffered a data security breach that compromised the account email addresses, password reminders, server per user salts, and authentication hashes. LastPass recommended its users to update their weak master passwords as a preventive step. LastPass servers were even over-loaded and many people were displayed the message: "Oops! Our servers are a bit overloaded right now. Please try your password change again shortly, we will catch up soon."
LastPass
Breach
Rankiteo Explanation
Attack threatening the organization's existence
Description: LastPass again suffered from a data security breach after an unauthorized party gained the access to a cloud-based password security site. Although the third-party cloud provider wasn't identified, Amazon Web Services mentioned the company's migration of a billion customer records to its cloud in a blog post from 2020. No customer data or encrypted passwords were accessed.
LastPass
Cyber Attack
Rankiteo Explanation
Attack with significant impact with internal employee data leaks
Description: An ongoing phishing campaign targeted LastPass users via fake emails claiming the company was hacked, urging them to download a malicious desktop version of the password manager. The attack exploited social engineering tactics, impersonating LastPass with urgency-driven messages from domains like ‘hello@lastpasspulse[.]blog’. The downloaded binary installed **Syncro**, a legitimate remote monitoring tool repurposed to deploy **ScreenConnect**, granting attackers persistent remote access. While LastPass confirmed no breach occurred, the campaign aimed to steal vault credentials by tricking users into installing malware disguised as a security update. The threat actors leveraged reduced holiday staffing (Columbus Day weekend) to delay detection. Cloudflare later blocked the phishing landing pages, but the attack demonstrated sophisticated use of legitimate tools (Syncro/ScreenConnect) to bypass defenses, disable security agents (Emsisoft, Webroot, Bitdefender), and exfiltrate sensitive data from compromised endpoints.
LastPass
Cyber Attack
Rankiteo Explanation
Attack with significant impact with customers data leaks
Description: LastPass is warning customers about an ongoing **phishing campaign** by the financially motivated threat group **CryptoChameleon (UNC5356)**, targeting its users since mid-October. The attack involves fraudulent emails impersonating LastPass’s legacy inheritance process, claiming a family member requested access to the victim’s password vault via a fake death certificate. Users are tricked into clicking a malicious link redirecting them to a spoofed login page (**lastpassrecovery[.]com**), where they are prompted to enter their **master password**. In some cases, attackers also posed as LastPass support staff via phone calls to manipulate victims further.The campaign has evolved to include **passkey-focused phishing domains** (e.g., **mypasskey[.]info**), indicating attempts to steal modern authentication credentials. This follows LastPass’s **2022 breach**, where encrypted vault backups were stolen, leading to subsequent cryptocurrency thefts totaling **$4.4 million**. The latest attack exploits psychological manipulation and technical deception to compromise user accounts, potentially granting attackers access to sensitive credentials stored in LastPass vaults.
LastPass Company Scoring based on AI Models
Cyber Incidents Likelihood 3 - 6 - 9 months
A.I Risk Score Likelihood 3 - 6 - 9 months
Underwriter Stats for LastPass
Incidents vs Computer and Network Security Industry Average (This Year)
LastPass has 47.06% more incidents than the average of same-industry companies with at least one recorded incident.
Incidents vs All-Companies Average (This Year)
LastPass has 28.21% more incidents than the average of all companies with at least one recorded incident.
Incident Types LastPass vs Computer and Network Security Industry Avg (This Year)
LastPass reported 1 incidents this year: 1 cyber attacks, 0 ransomware, 0 vulnerabilities, 0 data breaches, compared to industry peers with at least 1 incident.
Incident History — LastPass (X = Date, Y = Severity)
LastPass cyber incidents detection timeline including parent company and subsidiaries
LastPass Company Subsidiaries
LastPass is a leading identity and password manager, making it easier to log in to life and work. Trusted by 100,000 businesses and millions of users, LastPass combines advanced security with effortless access for individuals, families, small business owners, and enterprise professionals. With LastPass, important credentials are protected and private – and always within reach. Learn more via www.lastpass.com.
Loading...
LastPass Similar Companies
Palo Alto Networks, the global cybersecurity leader, is shaping the cloud-centric future with technology that is transforming the way people and organizations operate. Our mission is to be the cybersecurity partner of choice, protecting our digital way of life. We help address the world's greatest s
NETWORK-SECURITY-SOLUTIONS
## Our core business We manage linux / unix server infrastructures and build the efficient and secure networking environments using hardware cutting edge technologies suited to the needs of the project and the client. We believe in quality, opposed to quantity. Our company consists of highly
CrowdStrike
CrowdStrike (Nasdaq: CRWD), a global cybersecurity leader, has redefined modern security with the world’s most advanced cloud-native platform for protecting critical areas of enterprise risk — endpoints and cloud workloads, identity and data. Powered by the CrowdStrike Security Cloud and world-clas
.png)
LastPass CyberSecurity News
December 16, 2025 01:27 PM
Password manager fined after major data breach
LastPass faces $1.6 million fine from U.K. regulators after 2022 data breach exposed 1.6 million users due to inadequate security controls.
December 16, 2025 07:33 AM
LastPass Data Breach: The Cost of Weak Cybersecurity, 1.6 Million Users’ Data at Risk
UK regulator fines LastPass ₹13 crore after 2022 data breach exposed backup database, putting 1.6 million users at risk due to weak...
December 14, 2025 08:00 AM
LastPass Data Breach — 1.6 Million Users Exposed By Security Failure
People trust password managers, and when that trust isn't upheld, it can prove costly — as LastPass has just discovered.
December 13, 2025 08:00 AM
UK’s ICO Fine LastPass £1.2 Million Over 2022 Security Breach
The UK's data privacy regulator, the Information Commissioner's Office (ICO), has penalised the password management giant LastPass UK Ltd...
December 12, 2025 11:00 AM
‘DroidLock’ demands ransom, Google fixes secret Chrome 0-day, UK fines LastPass over 2022 breach
'DroidLock' malware demands ransom, Google fixes secret Chrome 0-day, UK fines LastPass over 2022 breach, Doxers trick tech firms.
December 12, 2025 08:32 AM
ICO Fines LastPass UK £1.2m For Data Breach
The £1.2 million fine against LastPass UK Ltd serves as a clear reminder that companies handling sensitive data must uphold highest...
December 12, 2025 08:00 AM
LastPass hit with 1.2 million fine after 2022 data breach
The UK's Information Commissioner's Office issued a 1.2 million penalty to password management company LastPass' British subsidiary...
December 11, 2025 04:37 PM
ICO Fines LastPass UK £1.2M For 2022 Data Breach
The ICO has hit LastPass UK with a £1.2 million fine after a 2022 breach that exposed the information of up to 1.6 million British users.
December 10, 2025 08:00 AM
LastPass Brings Secure Access to Businesses and Individuals Alike With New Capabilities in 2025
LastPass, a leader in password and identity management trusted by over 100000 businesses worldwide, announced a series of major advancements...
Frequently Asked Questions
Explore insights on cybersecurity incidents, risk posture, and Rankiteo's assessments.
LastPass CyberSecurity History Information
Official Website of LastPass
The official website of LastPass is https://www.lastpass.com/.
LastPass’s AI-Generated Cybersecurity Score
According to Rankiteo, LastPass’s AI-generated cybersecurity score is 670, reflecting their Weak security posture.
How many security badges does LastPass’ have ?
According to Rankiteo, LastPass currently holds 0 security badges, indicating that no recognized compliance certifications are currently verified for the organization.
Does LastPass have SOC 2 Type 1 certification ?
According to Rankiteo, LastPass is not certified under SOC 2 Type 1.
Does LastPass have SOC 2 Type 2 certification ?
According to Rankiteo, LastPass does not hold a SOC 2 Type 2 certification.
Does LastPass comply with GDPR ?
According to Rankiteo, LastPass is not listed as GDPR compliant.
Does LastPass have PCI DSS certification ?
According to Rankiteo, LastPass does not currently maintain PCI DSS compliance.
Does LastPass comply with HIPAA ?
According to Rankiteo, LastPass is not compliant with HIPAA regulations.
Does LastPass have ISO 27001 certification ?
According to Rankiteo,LastPass is not certified under ISO 27001, indicating the absence of a formally recognized information security management framework.
Industry Classification of LastPass
LastPass operates primarily in the Computer and Network Security industry.
Number of Employees at LastPass
LastPass employs approximately 794 people worldwide.
Subsidiaries Owned by LastPass
LastPass presently has no subsidiaries across any sectors.
LastPass’s LinkedIn Followers
LastPass’s official LinkedIn profile has approximately 39,994 followers.
NAICS Classification of LastPass
LastPass is classified under the NAICS code 541514, which corresponds to Others.
LastPass’s Presence on Crunchbase
No, LastPass does not have a profile on Crunchbase.
LastPass’s Presence on LinkedIn
Yes, LastPass maintains an official LinkedIn profile, which is actively utilized for branding and talent engagement, which can be accessed here: https://www.linkedin.com/company/lastpass.
Cybersecurity Incidents Involving LastPass
As of December 23, 2025, Rankiteo reports that LastPass has experienced 5 cybersecurity incidents.
Number of Peer and Competitor Companies
LastPass has an estimated 3,176 peer or competitor companies worldwide.
What types of cybersecurity incidents have occurred at LastPass ?
Incident Types: The types of cybersecurity incidents that have occurred include Cyber Attack and Breach.
What was the total financial impact of these incidents on LastPass ?
Total Financial Loss: The total financial loss from these incidents is estimated to be $4.40 million.
How does LastPass detect and respond to cybersecurity incidents ?
Detection and Response: The company detects and responds to cybersecurity incidents through an remediation measures with recommended users to update their weak master passwords, and communication strategy with informed users about the breach and recommended updating passwords, and third party assistance with leading cybersecurity and forensics firm, and remediation measures with implemented additional countermeasures, and incident response plan activated with lastpass issued a threat alert, incident response plan activated with cloudflare blocked phishing landing pages, and third party assistance with cloudflare (blocking phishing pages), third party assistance with malwarebytes (analysis of 1password campaign), and containment measures with cloudflare blocking phishing domains (lastpasspulse[.]blog, lastpasjournal[.]blog, bitwardenbroadcast.blog, onepass-word[.]com), containment measures with public advisories from lastpass and cybersecurity researchers, and remediation measures with user education on verifying official communications, remediation measures with encouragement to report phishing attempts, and communication strategy with lastpass blog post clarifying no breach occurred, communication strategy with media coverage by bleepingcomputer and malwarebytes, communication strategy with social media warnings, and incident response plan activated with likely (public warning issued), and containment measures with public advisory to users, containment measures with warning about phishing domains, and communication strategy with blog post, communication strategy with media alerts..
Incident Details
Can you provide details on each incident ?
Title: LastPass Data Security Breach
Description: A cloud-based password security site, LastPass suffered a data security breach that compromised the account email addresses, password reminders, server per user salts, and authentication hashes.
Type: Data Breach
Title: LastPass Data Breach
Description: An unauthorized party gained access to a cloud-based password security site, LastPass, resulting in the theft of certain source codes and technical information.
Type: Data Breach
Attack Vector: Unknown
Threat Actor: Unauthorized Party
Motivation: Unknown
Title: LastPass Data Security Breach
Description: LastPass suffered from a data security breach after an unauthorized party gained access to a cloud-based password security site.
Type: Data Breach
Attack Vector: Unauthorized access
Threat Actor: Unauthorized party
Title: Ongoing Phishing Campaign Targeting LastPass, Bitwarden, and 1Password Users with Fake Security Alerts
Description: An ongoing phishing campaign is targeting users of LastPass, Bitwarden, and 1Password with fake emails claiming that the companies were hacked. The emails urge recipients to download a supposedly more secure desktop version of the password manager, which instead installs the Syncro remote monitoring and management (RMM) tool. This tool is then used to deploy ScreenConnect, granting threat actors remote access to compromised systems. The campaign exploits social engineering tactics, including urgency and impersonation of official communications, to trick users into executing malicious binaries. Cloudflare is currently blocking access to the phishing landing pages.
Date Detected: 2023-10-09T00:00:00Z
Date Publicly Disclosed: 2023-10-09T00:00:00Z
Type: Phishing
Attack Vector: Email PhishingMalicious Binary DownloadLegitimate Tool Abuse (Syncro MSP, ScreenConnect)
Vulnerability Exploited: User trust in brand communications; exploitation of psychological urgency and fear tactics. No technical vulnerabilities in LastPass, Bitwarden, or 1Password systems were exploited.
Motivation: Financial GainCredential TheftData ExfiltrationPotential Follow-on Attacks (e.g., ransomware, fraud)
Title: Phishing Campaign Targeting LastPass Users via Fake Legacy Inheritance Process
Description: LastPass is warning customers of a phishing campaign sending emails with an access request to the password vault as part of a legacy inheritance process. The activity, attributed to the financially motivated threat group CryptoChameleon (UNC5356), started in mid-October 2023 and has evolved to target passkeys as well. The phishing emails claim a family member requested access to the victim's LastPass vault via a fabricated death certificate, redirecting users to a fraudulent login page (lastpassrecovery[.]com) to steal credentials. In some cases, threat actors posed as LastPass staff to direct victims to the phishing site. The campaign also uses passkey-focused phishing domains like mypasskey[.]info and passkeysetup[.]com. This follows a 2022 data breach where encrypted vault backups were stolen, linked to subsequent cryptocurrency losses of ~$4.4 million.
Date Detected: mid-October 2023
Type: phishing
Attack Vector: email phishingfake inheritance requestvoice phishing (vishing)fraudulent login pages
Vulnerability Exploited: human trust in legacy inheritance processlack of multi-factor authentication (MFA) enforcement on phishing sitespasskey storage in password managers
Threat Actor: CryptoChameleon (UNC5356)
Motivation: financial gain (cryptocurrency theft)
What are the most common types of attacks the company has faced ?
Common Attack Types: The most common types of attacks the company has faced is Breach.
How does the company identify the attack vectors used in incidents ?
Identification of Attack Vectors: The company identifies the attack vectors used in incidents through Phishing emails with malicious binary attachments (disguised as password manager updates) and phishing emails (legacy inheritance requests).
Impact of the Incidents
What was the impact of each incident ?
Incident : Data Breach LAS1151522
Data Compromised: Email addresses, Password reminders, Server per user salts, Authentication hashes
Operational Impact: Server overload
Incident : Data Breach LAS25527822
Data Compromised: Source codes, Technical information
Systems Affected: Development Environment
Incident : Data Breach LAS214211222
Data Compromised: No customer data or encrypted passwords were accessed.
Incident : Phishing LAS3302433101625
Data Compromised: Potential access to password vaults via saved credentials, System metadata, User activity monitoring
Systems Affected: End-user devices (Windows, possibly macOS)Password manager applications (if credentials were exposed)
Operational Impact: Potential account takeoversFollow-on attacks (e.g., lateral movement, ransomware)Increased helpdesk/support load due to user reports
Customer Complaints: Likely (users reporting phishing attempts or compromised accounts)
Brand Reputation Impact: Moderate (due to impersonation of trusted brands)Erosion of user trust in email communications from password managers
Identity Theft Risk: High (if password vaults are accessed)
Payment Information Risk: High (if payment details are stored in compromised vaults)
Incident : phishing LAS1192211102425
Financial Loss: $4.4 million (from 2022 breach-linked cryptocurrency losses; current campaign losses unspecified)
Data Compromised: Lastpass master passwords, Passkeys, Potential vault contents
Systems Affected: LastPass user accountspasskey storage systems
Customer Complaints: likely (based on phishing volume)
Brand Reputation Impact: high (repeated targeting of LastPass users, erosion of trust in security)
Identity Theft Risk: high (stolen credentials could enable broader account takeovers)
Payment Information Risk: high (cryptocurrency wallets targeted)
What is the average financial loss per incident ?
Average Financial Loss: The average financial loss per incident is $880.00 thousand.
What types of data are most commonly compromised in incidents ?
Commonly Compromised Data Types: The types of data most commonly compromised in incidents are Email Addresses, Password Reminders, Server Per User Salts, Authentication Hashes, , Source Codes, Technical Information, , Potential Password Vault Credentials, System Access (Via Screenconnect), User Activity Logs, , Master Passwords, Passkeys, Potential Vault Data (If Credentials Reused) and .
Which entities were affected by each incident ?
Incident : Data Breach LAS214211222
Entity Name: LastPass
Entity Type: Company
Industry: Technology
Customers Affected: A billion customer records
Incident : Phishing LAS3302433101625
Entity Name: LastPass
Entity Type: Password Manager Provider
Industry: Cybersecurity
Location: Global
Customers Affected: Unknown (targeted users)
Incident : Phishing LAS3302433101625
Entity Name: Bitwarden
Entity Type: Password Manager Provider
Industry: Cybersecurity
Location: Global
Customers Affected: Unknown (targeted users)
Incident : Phishing LAS3302433101625
Entity Name: 1Password
Entity Type: Password Manager Provider
Industry: Cybersecurity
Location: Global
Customers Affected: Unknown (targeted users)
Incident : Phishing LAS3302433101625
Entity Name: End Users
Entity Type: Individuals/Organizations
Industry: Multiple
Location: Global
Incident : phishing LAS1192211102425
Entity Name: LastPass
Entity Type: password manager service
Industry: cybersecurity
Location: global (users worldwide)
Customers Affected: unknown (campaign described as 'extensive')
Response to the Incidents
What measures were taken in response to each incident ?
Incident : Data Breach LAS1151522
Remediation Measures: Recommended users to update their weak master passwords
Communication Strategy: Informed users about the breach and recommended updating passwords
Incident : Data Breach LAS25527822
Third Party Assistance: Leading Cybersecurity And Forensics Firm.
Remediation Measures: Implemented additional countermeasures
Incident : Phishing LAS3302433101625
Incident Response Plan Activated: ['LastPass issued a threat alert', 'Cloudflare blocked phishing landing pages']
Third Party Assistance: Cloudflare (Blocking Phishing Pages), Malwarebytes (Analysis Of 1Password Campaign).
Containment Measures: Cloudflare blocking phishing domains (lastpasspulse[.]blog, lastpasjournal[.]blog, bitwardenbroadcast.blog, onepass-word[.]com)Public advisories from LastPass and cybersecurity researchers
Remediation Measures: User education on verifying official communicationsEncouragement to report phishing attempts
Communication Strategy: LastPass blog post clarifying no breach occurredMedia coverage by BleepingComputer and MalwarebytesSocial media warnings
Incident : phishing LAS1192211102425
Incident Response Plan Activated: likely (public warning issued)
Containment Measures: public advisory to userswarning about phishing domains
Communication Strategy: blog postmedia alerts
What is the company's incident response plan?
Incident Response Plan: The company's incident response plan is described as LastPass issued a threat alert, Cloudflare blocked phishing landing pages, , likely (public warning issued).
How does the company involve third-party assistance in incident response ?
Third-Party Assistance: The company involves third-party assistance in incident response through Leading Cybersecurity and Forensics Firm, , Cloudflare (blocking phishing pages), Malwarebytes (analysis of 1Password campaign), .
Data Breach Information
What type of data was compromised in each breach ?
Incident : Data Breach LAS1151522
Type of Data Compromised: Email addresses, Password reminders, Server per user salts, Authentication hashes
Incident : Data Breach LAS25527822
Type of Data Compromised: Source codes, Technical information
Incident : Data Breach LAS214211222
Data Encryption: Encrypted passwords
Incident : Phishing LAS3302433101625
Type of Data Compromised: Potential password vault credentials, System access (via screenconnect), User activity logs
Sensitivity of Data: High (passwords, potentially payment info, PII)
Data Exfiltration: Likely (if threat actors accessed vaults or deployed additional malware)
Personally Identifiable Information: High risk (if stored in password vaults)
Incident : phishing LAS1192211102425
Type of Data Compromised: Master passwords, Passkeys, Potential vault data (if credentials reused)
Sensitivity of Data: high (passwords, cryptographic keys, financial access)
Data Exfiltration: likely (if credentials entered on phishing sites)
Data Encryption: N/A (credentials voluntarily entered by users on fake sites)
Personally Identifiable Information: high risk (if vaults accessed)
What measures does the company take to prevent data exfiltration ?
Prevention of Data Exfiltration: The company takes the following measures to prevent data exfiltration: Recommended users to update their weak master passwords, Implemented additional countermeasures, , User education on verifying official communications, Encouragement to report phishing attempts, .
How does the company handle incidents involving personally identifiable information (PII) ?
Handling of PII Incidents: The company handles incidents involving personally identifiable information (PII) through by cloudflare blocking phishing domains (lastpasspulse[.]blog, lastpasjournal[.]blog, bitwardenbroadcast.blog, onepass-word[.]com), public advisories from lastpass and cybersecurity researchers, , public advisory to users, warning about phishing domains and .
Lessons Learned and Recommendations
What lessons were learned from each incident ?
Incident : Phishing LAS3302433101625
Lessons Learned: Threat actors increasingly abuse legitimate tools (e.g., Syncro, ScreenConnect) to evade detection., Social engineering remains highly effective, especially when exploiting urgency (e.g., fake security alerts)., Holiday weekends are prime targets for phishing campaigns due to reduced staffing., User education on verifying official communications is critical, even for security-savvy audiences., Password manager users are high-value targets due to the sensitivity of stored credentials.
Incident : phishing LAS1192211102425
Lessons Learned: Threat actors are increasingly targeting passwordless authentication methods (e.g., passkeys) and exploiting psychological triggers (e.g., inheritance processes). Legacy features in security products can become attack vectors if not rigorously secured against social engineering. User education remains critical to combat sophisticated phishing.
What recommendations were made to prevent future incidents ?
Incident : Phishing LAS3302433101625
Recommendations: Always verify security alerts by logging into official websites (not via email links)., Enable multi-factor authentication (MFA) for password managers and associated email accounts., Use hardware security keys where possible to mitigate phishing risks., Monitor for unusual activity in password vaults (e.g., unexpected logins or changes)., Organizations should block or restrict unauthorized RMM tools (e.g., Syncro, ScreenConnect) unless explicitly whitelisted., Deploy email security solutions to detect and quarantine phishing messages impersonating trusted brands., Conduct regular phishing simulations to train users on recognizing social engineering tactics.Always verify security alerts by logging into official websites (not via email links)., Enable multi-factor authentication (MFA) for password managers and associated email accounts., Use hardware security keys where possible to mitigate phishing risks., Monitor for unusual activity in password vaults (e.g., unexpected logins or changes)., Organizations should block or restrict unauthorized RMM tools (e.g., Syncro, ScreenConnect) unless explicitly whitelisted., Deploy email security solutions to detect and quarantine phishing messages impersonating trusted brands., Conduct regular phishing simulations to train users on recognizing social engineering tactics.Always verify security alerts by logging into official websites (not via email links)., Enable multi-factor authentication (MFA) for password managers and associated email accounts., Use hardware security keys where possible to mitigate phishing risks., Monitor for unusual activity in password vaults (e.g., unexpected logins or changes)., Organizations should block or restrict unauthorized RMM tools (e.g., Syncro, ScreenConnect) unless explicitly whitelisted., Deploy email security solutions to detect and quarantine phishing messages impersonating trusted brands., Conduct regular phishing simulations to train users on recognizing social engineering tactics.Always verify security alerts by logging into official websites (not via email links)., Enable multi-factor authentication (MFA) for password managers and associated email accounts., Use hardware security keys where possible to mitigate phishing risks., Monitor for unusual activity in password vaults (e.g., unexpected logins or changes)., Organizations should block or restrict unauthorized RMM tools (e.g., Syncro, ScreenConnect) unless explicitly whitelisted., Deploy email security solutions to detect and quarantine phishing messages impersonating trusted brands., Conduct regular phishing simulations to train users on recognizing social engineering tactics.Always verify security alerts by logging into official websites (not via email links)., Enable multi-factor authentication (MFA) for password managers and associated email accounts., Use hardware security keys where possible to mitigate phishing risks., Monitor for unusual activity in password vaults (e.g., unexpected logins or changes)., Organizations should block or restrict unauthorized RMM tools (e.g., Syncro, ScreenConnect) unless explicitly whitelisted., Deploy email security solutions to detect and quarantine phishing messages impersonating trusted brands., Conduct regular phishing simulations to train users on recognizing social engineering tactics.Always verify security alerts by logging into official websites (not via email links)., Enable multi-factor authentication (MFA) for password managers and associated email accounts., Use hardware security keys where possible to mitigate phishing risks., Monitor for unusual activity in password vaults (e.g., unexpected logins or changes)., Organizations should block or restrict unauthorized RMM tools (e.g., Syncro, ScreenConnect) unless explicitly whitelisted., Deploy email security solutions to detect and quarantine phishing messages impersonating trusted brands., Conduct regular phishing simulations to train users on recognizing social engineering tactics.Always verify security alerts by logging into official websites (not via email links)., Enable multi-factor authentication (MFA) for password managers and associated email accounts., Use hardware security keys where possible to mitigate phishing risks., Monitor for unusual activity in password vaults (e.g., unexpected logins or changes)., Organizations should block or restrict unauthorized RMM tools (e.g., Syncro, ScreenConnect) unless explicitly whitelisted., Deploy email security solutions to detect and quarantine phishing messages impersonating trusted brands., Conduct regular phishing simulations to train users on recognizing social engineering tactics.
Incident : phishing LAS1192211102425
Recommendations: Enable multi-factor authentication (MFA) for all critical accounts, including password managers., Verify inheritance/access requests through out-of-band channels (e.g., phone calls to trusted contacts)., Use hardware security keys (e.g., YubiKey) for passkey storage to resist phishing., Monitor for suspicious domains spoofing legitimate services (e.g., lastpassrecovery[.]com)., Implement delays or additional verification for high-risk actions like inheritance requests., Educate users on recognizing vishing (voice phishing) tactics.Enable multi-factor authentication (MFA) for all critical accounts, including password managers., Verify inheritance/access requests through out-of-band channels (e.g., phone calls to trusted contacts)., Use hardware security keys (e.g., YubiKey) for passkey storage to resist phishing., Monitor for suspicious domains spoofing legitimate services (e.g., lastpassrecovery[.]com)., Implement delays or additional verification for high-risk actions like inheritance requests., Educate users on recognizing vishing (voice phishing) tactics.Enable multi-factor authentication (MFA) for all critical accounts, including password managers., Verify inheritance/access requests through out-of-band channels (e.g., phone calls to trusted contacts)., Use hardware security keys (e.g., YubiKey) for passkey storage to resist phishing., Monitor for suspicious domains spoofing legitimate services (e.g., lastpassrecovery[.]com)., Implement delays or additional verification for high-risk actions like inheritance requests., Educate users on recognizing vishing (voice phishing) tactics.Enable multi-factor authentication (MFA) for all critical accounts, including password managers., Verify inheritance/access requests through out-of-band channels (e.g., phone calls to trusted contacts)., Use hardware security keys (e.g., YubiKey) for passkey storage to resist phishing., Monitor for suspicious domains spoofing legitimate services (e.g., lastpassrecovery[.]com)., Implement delays or additional verification for high-risk actions like inheritance requests., Educate users on recognizing vishing (voice phishing) tactics.Enable multi-factor authentication (MFA) for all critical accounts, including password managers., Verify inheritance/access requests through out-of-band channels (e.g., phone calls to trusted contacts)., Use hardware security keys (e.g., YubiKey) for passkey storage to resist phishing., Monitor for suspicious domains spoofing legitimate services (e.g., lastpassrecovery[.]com)., Implement delays or additional verification for high-risk actions like inheritance requests., Educate users on recognizing vishing (voice phishing) tactics.Enable multi-factor authentication (MFA) for all critical accounts, including password managers., Verify inheritance/access requests through out-of-band channels (e.g., phone calls to trusted contacts)., Use hardware security keys (e.g., YubiKey) for passkey storage to resist phishing., Monitor for suspicious domains spoofing legitimate services (e.g., lastpassrecovery[.]com)., Implement delays or additional verification for high-risk actions like inheritance requests., Educate users on recognizing vishing (voice phishing) tactics.
What are the key lessons learned from past incidents ?
Key Lessons Learned: The key lessons learned from past incidents are Threat actors increasingly abuse legitimate tools (e.g., Syncro, ScreenConnect) to evade detection.,Social engineering remains highly effective, especially when exploiting urgency (e.g., fake security alerts).,Holiday weekends are prime targets for phishing campaigns due to reduced staffing.,User education on verifying official communications is critical, even for security-savvy audiences.,Password manager users are high-value targets due to the sensitivity of stored credentials.Threat actors are increasingly targeting passwordless authentication methods (e.g., passkeys) and exploiting psychological triggers (e.g., inheritance processes). Legacy features in security products can become attack vectors if not rigorously secured against social engineering. User education remains critical to combat sophisticated phishing.
References
Where can I find more information about each incident ?
Incident : Data Breach LAS214211222
Source: Amazon Web Services blog post from 2020
Incident : Phishing LAS3302433101625
Source: BleepingComputer
URL: https://www.bleepingcomputer.com
Date Accessed: 2023-10-09
Incident : Phishing LAS3302433101625
Source: Malwarebytes (1Password campaign analysis)
URL: https://www.malwarebytes.com
Date Accessed: 2023-10-09
Incident : Phishing LAS3302433101625
Source: Hoax-Slayer (1Password phishing report)
Date Accessed: 2023-09-25
Incident : phishing LAS1192211102425
Source: LastPass Blog
Where can stakeholders find additional resources on cybersecurity best practices ?
Additional Resources: Stakeholders can find additional resources on cybersecurity best practices at and Source: Amazon Web Services blog post from 2020, and Source: BleepingComputerUrl: https://www.bleepingcomputer.comDate Accessed: 2023-10-09, and Source: LastPass Threat AlertDate Accessed: 2023-10-09, and Source: Malwarebytes (1Password campaign analysis)Url: https://www.malwarebytes.comDate Accessed: 2023-10-09, and Source: Hoax-Slayer (1Password phishing report)Date Accessed: 2023-09-25, and Source: LastPass Blog.
Investigation Status
What is the current status of the investigation for each incident ?
Incident : Phishing LAS3302433101625
Investigation Status: Ongoing (analysis of malware samples and phishing infrastructure)
Incident : phishing LAS1192211102425
Investigation Status: ongoing (active campaign as of April 2024)
How does the company communicate the status of incident investigations to stakeholders ?
Communication of Investigation Status: The company communicates the status of incident investigations to stakeholders through Informed users about the breach and recommended updating passwords, Lastpass Blog Post Clarifying No Breach Occurred, Media Coverage By Bleepingcomputer And Malwarebytes, Social Media Warnings, Blog Post and Media Alerts.
Stakeholder and Customer Advisories
Were there any advisories issued to stakeholders or customers for each incident ?
Incident : Data Breach LAS1151522
Customer Advisories: Recommended users to update their weak master passwords
Incident : Phishing LAS3302433101625
Stakeholder Advisories: Lastpass: Clarified No Breach Occurred; Urged Users To Ignore Fake Emails., Bitwarden: No Official Statement Yet (As Of Report)., 1Password: No Official Statement Yet (As Of Report)., Cybersecurity Community: Shared Indicators Of Compromise (Iocs) And Tactical Advice..
Customer Advisories: Do not download software from email links; always use official app stores or websites.Report phishing emails to the password manager provider and email service.Check for unusual activity in password vaults or connected devices.Never share master passwords or 2FA codes, even if prompted by seemingly official emails.
Incident : phishing LAS1192211102425
Stakeholder Advisories: Public warning issued to LastPass users.
Customer Advisories: Users advised to ignore inheritance requests unless independently verified, avoid entering credentials on linked sites, and report suspicious activity.
What advisories does the company provide to stakeholders and customers following an incident ?
Advisories Provided: The company provides the following advisories to stakeholders and customers following an incident: were Recommended users to update their weak master passwords, Lastpass: Clarified No Breach Occurred; Urged Users To Ignore Fake Emails., Bitwarden: No Official Statement Yet (As Of Report)., 1Password: No Official Statement Yet (As Of Report)., Cybersecurity Community: Shared Indicators Of Compromise (Iocs) And Tactical Advice., Do Not Download Software From Email Links; Always Use Official App Stores Or Websites., Report Phishing Emails To The Password Manager Provider And Email Service., Check For Unusual Activity In Password Vaults Or Connected Devices., Never Share Master Passwords Or 2Fa Codes, Even If Prompted By Seemingly Official Emails., , Public warning issued to LastPass users., Users advised to ignore inheritance requests unless independently verified, avoid entering credentials on linked sites and and report suspicious activity..
Initial Access Broker
How did the initial access broker gain entry for each incident ?
Incident : Phishing LAS3302433101625
Entry Point: Phishing emails with malicious binary attachments (disguised as password manager updates)
Reconnaissance Period: Likely minimal (opportunistic campaign targeting broad user base)
Backdoors Established: ['Syncro MSP agent (hidden system tray icon)', 'ScreenConnect remote access tool']
High Value Targets: Password Vault Credentials, Saved Payment Information, Corporate/Enterprise Users With Elevated Access,
Data Sold on Dark Web: Password Vault Credentials, Saved Payment Information, Corporate/Enterprise Users With Elevated Access,
Incident : phishing LAS1192211102425
Entry Point: phishing emails (legacy inheritance requests)
Reconnaissance Period: likely extensive (group known for targeting crypto wallets since at least 2022)
High Value Targets: Cryptocurrency Wallet Credentials, Passkeys, Password Vaults,
Data Sold on Dark Web: Cryptocurrency Wallet Credentials, Passkeys, Password Vaults,
Post-Incident Analysis
What were the root causes and corrective actions taken for each incident ?
Incident : Phishing LAS3302433101625
Root Causes: Lack Of User Awareness About Phishing Tactics Impersonating Trusted Brands., Abuse Of Legitimate Rmm Tools (Syncro, Screenconnect) To Bypass Security Controls., Exploitation Of Psychological Triggers (Urgency, Fear) In Email Lures., Timing Of Campaign During Holiday Weekend To Delay Detection/Response.,
Corrective Actions: Enhanced Email Filtering For Impersonation Attacks Targeting Password Managers., Blocklist Known Malicious Domains (E.G., Lastpasspulse[.]Blog, Bitwardenbroadcast.Blog)., User Training On Verifying Software Updates And Security Alerts., Restrict Execution Of Unauthorized Rmm Tools Via Endpoint Protection., Monitor For Unusual Installations Of Screenconnect Or Syncro Agents.,
Incident : phishing LAS1192211102425
Root Causes: Exploitation Of Trust In Lastpass'S Legacy Inheritance Feature., Lack Of Robust Verification For High-Risk Access Requests., Passkey Storage In Password Managers Becoming A Target For Credential Theft., User Susceptibility To Social Engineering (Urgency, Authority Impersonation).,
What is the company's process for conducting post-incident analysis ?
Post-Incident Analysis Process: The company's process for conducting post-incident analysis is described as Leading Cybersecurity And Forensics Firm, , Cloudflare (Blocking Phishing Pages), Malwarebytes (Analysis Of 1Password Campaign), .
What corrective actions has the company taken based on post-incident analysis ?
Corrective Actions Taken: The company has taken the following corrective actions based on post-incident analysis: Enhanced Email Filtering For Impersonation Attacks Targeting Password Managers., Blocklist Known Malicious Domains (E.G., Lastpasspulse[.]Blog, Bitwardenbroadcast.Blog)., User Training On Verifying Software Updates And Security Alerts., Restrict Execution Of Unauthorized Rmm Tools Via Endpoint Protection., Monitor For Unusual Installations Of Screenconnect Or Syncro Agents., .
Additional Questions
General Information
Who was the attacking group in the last incident ?
Last Attacking Group: The attacking group in the last incident were an Unauthorized Party, Unauthorized party and CryptoChameleon (UNC5356).
Incident Details
What was the most recent incident detected ?
Most Recent Incident Detected: The most recent incident detected was on 2023-10-09T00:00:00Z.
What was the most recent incident publicly disclosed ?
Most Recent Incident Publicly Disclosed: The most recent incident publicly disclosed was on 2023-10-09T00:00:00Z.
Impact of the Incidents
What was the highest financial loss from an incident ?
Highest Financial Loss: The highest financial loss from an incident was $4.4 million (from 2022 breach-linked cryptocurrency losses; current campaign losses unspecified).
What was the most significant data compromised in an incident ?
Most Significant Data Compromised: The most significant data compromised in an incident were email addresses, password reminders, server per user salts, authentication hashes, , Source Codes, Technical Information, , No customer data or encrypted passwords were accessed., Potential access to password vaults via saved credentials, System metadata, User activity monitoring, , LastPass master passwords, passkeys, potential vault contents and .
What was the most significant system affected in an incident ?
Most Significant System Affected: The most significant system affected in an incident were Development Environment and End-user devices (Windows, possibly macOS)Password manager applications (if credentials were exposed) and LastPass user accountspasskey storage systems.
Response to the Incidents
What third-party assistance was involved in the most recent incident ?
Third-Party Assistance in Most Recent Incident: The third-party assistance involved in the most recent incident was leading cybersecurity and forensics firm, , cloudflare (blocking phishing pages), malwarebytes (analysis of 1password campaign), .
What containment measures were taken in the most recent incident ?
Containment Measures in Most Recent Incident: The containment measures taken in the most recent incident were Cloudflare blocking phishing domains (lastpasspulse[.]blog, lastpasjournal[.]blog, bitwardenbroadcast.blog, onepass-word[.]com)Public advisories from LastPass and cybersecurity researchers and public advisory to userswarning about phishing domains.
Data Breach Information
What was the most sensitive data compromised in a breach ?
Most Sensitive Data Compromised: The most sensitive data compromised in a breach were Technical Information, System metadata, passkeys, email addresses, potential vault contents, Source Codes, password reminders, User activity monitoring, LastPass master passwords, No customer data or encrypted passwords were accessed., server per user salts, authentication hashes and Potential access to password vaults via saved credentials.
Lessons Learned and Recommendations
What was the most significant lesson learned from past incidents ?
Most Significant Lesson Learned: The most significant lesson learned from past incidents was Password manager users are high-value targets due to the sensitivity of stored credentials., Threat actors are increasingly targeting passwordless authentication methods (e.g., passkeys) and exploiting psychological triggers (e.g., inheritance processes). Legacy features in security products can become attack vectors if not rigorously secured against social engineering. User education remains critical to combat sophisticated phishing.
What was the most significant recommendation implemented to improve cybersecurity ?
Most Significant Recommendation Implemented: The most significant recommendation implemented to improve cybersecurity was Enable multi-factor authentication (MFA) for all critical accounts, including password managers., Monitor for suspicious domains spoofing legitimate services (e.g., lastpassrecovery[.]com)., Organizations should block or restrict unauthorized RMM tools (e.g., Syncro, ScreenConnect) unless explicitly whitelisted., Educate users on recognizing vishing (voice phishing) tactics., Enable multi-factor authentication (MFA) for password managers and associated email accounts., Deploy email security solutions to detect and quarantine phishing messages impersonating trusted brands., Implement delays or additional verification for high-risk actions like inheritance requests., Conduct regular phishing simulations to train users on recognizing social engineering tactics., Use hardware security keys (e.g., YubiKey) for passkey storage to resist phishing., Use hardware security keys where possible to mitigate phishing risks., Verify inheritance/access requests through out-of-band channels (e.g., phone calls to trusted contacts)., Monitor for unusual activity in password vaults (e.g., unexpected logins or changes). and Always verify security alerts by logging into official websites (not via email links)..
References
What is the most recent source of information about an incident ?
Most Recent Source: The most recent source of information about an incident are Malwarebytes (1Password campaign analysis), LastPass Threat Alert, Hoax-Slayer (1Password phishing report), Amazon Web Services blog post from 2020, BleepingComputer and LastPass Blog.
What is the most recent URL for additional resources on cybersecurity best practices ?
Most Recent URL for Additional Resources: The most recent URL for additional resources on cybersecurity best practices is https://www.bleepingcomputer.com, https://www.malwarebytes.com .
Investigation Status
What is the current status of the most recent investigation ?
Current Status of Most Recent Investigation: The current status of the most recent investigation is Ongoing (analysis of malware samples and phishing infrastructure).
Stakeholder and Customer Advisories
What was the most recent stakeholder advisory issued ?
Most Recent Stakeholder Advisory: The most recent stakeholder advisory issued was LastPass: Clarified no breach occurred; urged users to ignore fake emails., Bitwarden: No official statement yet (as of report)., 1Password: No official statement yet (as of report)., Cybersecurity community: Shared indicators of compromise (IoCs) and tactical advice., Public warning issued to LastPass users., .
What was the most recent customer advisory issued ?
Most Recent Customer Advisory: The most recent customer advisory issued were an Recommended users to update their weak master passwords, Do not download software from email links; always use official app stores or websites.Report phishing emails to the password manager provider and email service.Check for unusual activity in password vaults or connected devices.Never share master passwords or 2FA codes, even if prompted by seemingly official emails., Users advised to ignore inheritance requests unless independently verified, avoid entering credentials on linked sites and and report suspicious activity.
Initial Access Broker
What was the most recent entry point used by an initial access broker ?
Most Recent Entry Point: The most recent entry point used by an initial access broker were an Phishing emails with malicious binary attachments (disguised as password manager updates) and phishing emails (legacy inheritance requests).
What was the most recent reconnaissance period for an incident ?
Most Recent Reconnaissance Period: The most recent reconnaissance period for an incident was Likely minimal (opportunistic campaign targeting broad user base), likely extensive (group known for targeting crypto wallets since at least 2022).
Post-Incident Analysis
What was the most significant root cause identified in post-incident analysis ?
Most Significant Root Cause: The most significant root cause identified in post-incident analysis was Lack of user awareness about phishing tactics impersonating trusted brands.Abuse of legitimate RMM tools (Syncro, ScreenConnect) to bypass security controls.Exploitation of psychological triggers (urgency, fear) in email lures.Timing of campaign during holiday weekend to delay detection/response., Exploitation of trust in LastPass's legacy inheritance feature.Lack of robust verification for high-risk access requests.Passkey storage in password managers becoming a target for credential theft.User susceptibility to social engineering (urgency, authority impersonation)..
What was the most significant corrective action taken based on post-incident analysis ?
Most Significant Corrective Action: The most significant corrective action taken based on post-incident analysis was Enhanced email filtering for impersonation attacks targeting password managers.Blocklist known malicious domains (e.g., lastpasspulse[.]blog, bitwardenbroadcast.blog).User training on verifying software updates and security alerts.Restrict execution of unauthorized RMM tools via endpoint protection.Monitor for unusual installations of ScreenConnect or Syncro agents..
.png)
Latest Global CVEs (Not Company-Specific)
Description
Marshmallow is a lightweight library for converting complex objects to and from simple Python datatypes. In versions from 3.0.0rc1 to before 3.26.2 and from 4.0.0 to before 4.1.2, Schema.load(data, many=True) is vulnerable to denial of service attacks. A moderately sized request can consume a disproportionate amount of CPU time. This issue has been patched in version 3.26.2 and 4.1.2.
Risk Information
cvss3
Base: 5.3
Severity: LOW
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
Description
KEDA is a Kubernetes-based Event Driven Autoscaling component. Prior to versions 2.17.3 and 2.18.3, an Arbitrary File Read vulnerability has been identified in KEDA, potentially affecting any KEDA resource that uses TriggerAuthentication to configure HashiCorp Vault authentication. The vulnerability stems from an incorrect or insufficient path validation when loading the Service Account Token specified in spec.hashiCorpVault.credential.serviceAccount. An attacker with permissions to create or modify a TriggerAuthentication resource can exfiltrate the content of any file from the node's filesystem (where the KEDA pod resides) by directing the file's content to a server under their control, as part of the Vault authentication request. The potential impact includes the exfiltration of sensitive system information, such as secrets, keys, or the content of files like /etc/passwd. This issue has been patched in versions 2.17.3 and 2.18.3.
Risk Information
cvss4
Base: 8.2
Severity: LOW
CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:N/VA:N/SC:H/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Description
Fedify is a TypeScript library for building federated server apps powered by ActivityPub. Prior to versions 1.6.13, 1.7.14, 1.8.15, and 1.9.2, a Regular Expression Denial of Service (ReDoS) vulnerability exists in Fedify's document loader. The HTML parsing regex at packages/fedify/src/runtime/docloader.ts:259 contains nested quantifiers that cause catastrophic backtracking when processing maliciously crafted HTML responses. This issue has been patched in versions 1.6.13, 1.7.14, 1.8.15, and 1.9.2.
Risk Information
cvss3
Base: 7.5
Severity: LOW
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
References
- https://github.com/fedify-dev/fedify/commit/2bdcb24d7d6d5886e0214ed504b63a6dc5488779
- https://github.com/fedify-dev/fedify/commit/bf2f0783634efed2663d1b187dc55461ee1f987a
- https://github.com/fedify-dev/fedify/releases/tag/1.6.13
- https://github.com/fedify-dev/fedify/releases/tag/1.7.14
- https://github.com/fedify-dev/fedify/releases/tag/1.8.15
- https://github.com/fedify-dev/fedify/releases/tag/1.9.2
- https://github.com/fedify-dev/fedify/security/advisories/GHSA-rchf-xwx2-hm93
Description
Authenticated Remote Code Execution (RCE) in PluXml CMS 5.8.22 allows an attacker with administrator panel access to inject a malicious PHP webshell into a theme file (e.g., home.php).
Risk Information
cvss3
Base: 6.5
Severity: LOW
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:N
Description
An issue was discovered in Xiongmai XM530 IP cameras on firmware V5.00.R02.000807D8.10010.346624.S.ONVIF 21.06. The GetStreamUri exposes RTSP URIs containing hardcoded credentials enabling direct unauthorized video stream access.
Risk Information
cvss3
Base: 7.5
Severity: LOW
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Access Data Using Our API
Get company history
curl -i -X GET 'https://api.rankiteo.com/underwriter-getcompany-history?linkedin_id=lastpass' -H 'apikey: YOUR_API_KEY_HERE'
RapidWhat Do We Measure ?
Incident
Finding
Grade
Digital Assets
Every week, Rankiteo analyzes billions of signals to give organizations a sharper, faster view of emerging risks. With deeper, more actionable intelligence at their fingertips, security teams can outpace threat actors, respond instantly to Zero-Day attacks, and dramatically shrink their risk exposure window.
These are some of the factors we use to calculate the overall score:
Network Security
Identify exposed access points, detect misconfigured SSL certificates, and uncover vulnerabilities across the network infrastructure.
SBOM (Software Bill of Materials)
Gain visibility into the software components used within an organization to detect vulnerabilities, manage risk, and ensure supply chain security.
CMDB (Configuration Management Database)
Monitor and manage all IT assets and their configurations to ensure accurate, real-time visibility across the company's technology environment.
Threat Intelligence
Leverage real-time insights on active threats, malware campaigns, and emerging vulnerabilities to proactively defend against evolving cyberattacks.
Rankiteo is a unified scoring and risk platform that analyzes billions of signals weekly to help organizations gain faster, more actionable insights into emerging threats. Empowering teams to outpace adversaries and reduce exposure.
