LastPass Data Breach | World Cup Themed Cyberattacks | Meta Fined $277 Million For Leak

Article by Christopher Lauder, Client Engagement Executive, Rela8 Group

LastPass Data Breach

LastPass has experienced another data breach, this time exposing user data. According to a post from LastPass CEO Karim Toubba, hackers accessed a third-party cloud storage service used by the password manager and were able to gain access to customer information.

It’s still not clear what information hackers got access to or how many customers were affected, but in his post, Toubba assured that users’ passwords weren’t compromised:

“We recently detected unusual activity within a third-party cloud storage service, which is currently shared by both LastPass and its affiliate, GoTo. We immediately launched an investigation, engaged Mandiant, a leading security firm, and alerted law enforcement.”

“We have determined that an unauthorised party, using information obtained in the August 2022 incident, was able to gain access to certain elements of our customers' information. Our customers' passwords remain safely encrypted due to LastPass’s Zero Knowledge architecture.”

This comes just months after LastPass confirmed that hackers had stolen some of its source code in August and had access to LastPass’ internal systems for four days before getting detected. It looks like this new attack is connected, as Toubba says it determined that hackers gained access to user data using information obtained in the incident earlier this year. The LastPass service remains “fully functional” despite the breach and the company has launched a full investigation:

“We are working diligently to understand the scope of the incident and identify what specific information has been accessed.”

Source - LastPass Breach - LastPass

Source - LastPass Breach - The Verge

Source - LastPass Breach - Naked Security / Sophos

Source - LastPass Breach - MacRumors

World Cup Themed Cyberattacks

The hype and popularity of the FIFA World Cup has attracted a variety of cybercriminals looking to exploit the fans and the organisations participating. These criminals are targeting the unsuspecting fans who are too distracted to concern themselves with cyber security.

After looking at the various threats aimed at fans and organisations attending the World Cup, contextual artificial intelligence firm, CloudSEK, reported that the cybercriminals are primarily motivated by "financial gain, ideology, or geo-political affiliations”.

This is not the first-time behaviour like this has been identified. As noted in the report, previous sporting events such as the World Cup and the Winter Olympics in 2018 were subject to 25 million and 12 million cyberattacks per day, respectively.

Financially motivated cybercriminals have resorted to selling fake Hayya cards (FIFA entry permits), match tickets, and even leveraging stolen credit cards to arrange travel and lodging for the game.

The CloudSEK report noted that several Telegram channels offer fake Hayya cards requiring valid identification from buyers and only accept Bitcoin as payment. With Crypto.com as an official sponsor and Binance partnering with Cristiano Ronaldo to promote football themed NFTs, scammers have been quick to capitalise on the tournament's ties to crypto and NFTs by selling 'World Cup Coin' and 'World Cup Token'.

A CloudSEK researcher said the following in a press release:

"The gap between the supply and demand of FIFA World Cup game tickets, flight tickets, hotels, souvenirs, etc., has been co-opted by cybercriminals, to defraud fans and enthusiasts."

“Despite the attractive offers and lures, users should restrict their purchases to official websites and mobile apps. And companies that are FIFA sponsors should bolster their security mechanisms and stay up to date on threat actors' tactics and techniques."

Source - FIFA Cyberattacks - CloudSek

Source - FIFA Cyberattacks - HelpNetSecurity

Source - FIFA Cyberattacks - TechMonitor

Source - FIFA Cyberattacks - SC Magazine

Meta Fined $277 Million For Leak

Ireland’s Data Protection Commission hit Meta with a €265 million fine after an April 2021 data leak exposed the information of more than 533 million users. The DPC started the investigation shortly after news of the leak broke and involved an examination into whether Facebook complied with Europe’s General Data Protection Regulation (GDPR) laws.

The leaked information, spotted by Insider, was posted to an online hacking forum and included the full names, phone numbers, locations, and birthdates of users on the platform from 2018 to 2019. At the time, Meta said the bad actor obtained the information through a vulnerability that the company fixed in 2019.

This marks the third fine the DPC have imposed on Meta this year. In March, the DPC fined Meta $18.6 million USD for bad record-keeping in relation to a series of 2018 data breaches that exposed the information of up to 30 million Facebook users. The European regulator also slapped Meta with a $402 million fine in September following an investigation into Instagram’s handling of teenagers’ data.

Meta has been fined nearly $700 million by the DPC in 2022 — and that doesn’t include the $267 million fine WhatsApp incurred for violating Europe’s data privacy laws last year.

Commenting on the news, a spokesperson for Meta said:

"[Meta] had made changes to its systems during the time in question, including removing the ability to scrape our features in this way using phone numbers."

"Unauthorised data scraping is unacceptable and against our rules and we will continue working with our peers on this industry challenge”.

Source - Meta Fined - TechRadar

Source - Meta Fined - The Verge

Source - Meta Fined - Guardian