Total Tests:

Arizona agencies possibly exposed in LastPass data breach

By Jerod MacDonald-Evoy for Arizona Mirror
Wednesday, March 15, 2023

Multiple state agencies, including the Arizona Department of Homeland Security and state’s Medicaid provider, may have had their passwords and login credentials exposed in a breach of the popular password management software LastPass.

But silence doesn’t always mean that nothing is happening, according to Dr. Ilia Kolochenko, the chief architect at cybersecurity firm ImmuniWeb and a professor of cybersecurity practice and cyberlaw at Capitol Technology University.

“Cyber mercenaries, they have absolutely no interest in exposing their intrusion,” Kolochenko said, adding that those who are hired by a criminal organization or state actor have an increased interest in making sure their trails are hidden. “This is something that cyber criminals and their clients are trying to avoid, so they are trying to make their intrusions as silent and invisible as possible.”

One way the effect of a breach such as this one can be measured is by seeing if login credentials or passwords are being sold on online forums on the dark web. However, Kolochenko said that in cases such as this one, that may also be more difficult.

More sophisticated hackers and sellers in the online criminal ecosystem will not openly sell their “high end” wares, only sharing that information with clients they trust or holding the information for their own personal use.

“It doesn’t necessarily mean that your data is not being sold somewhere and to someone,” Kolochenko said about not finding the state’s data on black market forums. The Mirror checked several forums popular with selling of stolen data but did not find any selling Arizona data related to the LastPass breach.

The Arizona Attorney General’s Office refused to comment if an investigation into the breach had been launched. In Arizona, if a data breach impacts more than 1,000 residents, then the company is required to notify those affected, the AG, the Department of Homeland Security and the three largest consumer credit reporting agencies. There are penalties for companies that fail to notify properly.

Kolochenko said that Arizona residents that may have interfaced with state agencies like AHCCCS or the Department of Financial Institutions should immediately change their passwords and engage two-factor authentication on all their accounts. Kolochenko also suggested that Arizona residents should monitor their credit, as the first attack of many hackers is lines of credit.

It is currently unknown the entire scope of the LastPass breach and if Arizona credentials were exposed.

“While we do not, as a rule, comment on individual interactions with customers, we are committed to addressing concerns from all customers and to directly discussing any further steps they may need to take in response to past incidents,” LastPass said in a statement.

“As you may be aware, LastPass has already taken steps to notify all customers of the incident, as well as subsequent blog updates. And we will, of course, remain committed to complying with any related legal or regulatory requirement,” the statement added.

Kolochenko believes that the impact on governments will not be as impactful but he is also not entirely sure. Some companies start “rapidly ringing the bell” on data breaches, only to find that a small number of users were ever impacted, while others fail to disclose until it is too late.

When it comes to LastPass, Kolochenko said that he believes they fall “somewhere in the middle.” Read Full Article


Book a Call Ask a Question
Close
Talk to ImmuniWeb Experts
ImmuniWeb AI Platform
Have a Technical Question?

Our security experts will answer within
one business day. No obligations.

Have a Sales Question?
Email:
Tel: +41 22 560 6800 (Switzerland)
Tel: +1 720 605 9147 (USA)
*
*
*
*
Your data will stay private and confidential