Threat actors have breached LastPass, Slack, and CircleCI, raising concerns across the board.
All parties involved have refused to reveal the true state of affairs or how the attacks were carried out. Some even postponed the announcement in order to keep the public safe and minimize the attack.
LastPass’ encrypted password vaults, which store its customers’ passwords and other secrets, were stolen by cybercriminals last December.
In a blog post, Slack stated that an outside threat actor stole a limited number of employee tokens and used them to gain access to the company’s externally hosted GitHub repository. On December 27, the threat actor also downloaded private code repositories, according to the investigation. None of the repositories contained customer data, access to that data, or the primary code base of the company.
CircleCI, for its part, stated that attackers breached its platform for two weeks during the recent Christmas and New Year’s holidays. Customers were then advised to “rotate any secrets stored in CircleCI” while the company investigated an apparent intrusion and data breach.
The fear is growing because the organizations that are supposed to keep our secrets safe are being breached and are not being honest with them. While CircleCI remains tight-lipped about what happened, Slack’s advisory is similarly evasive.
The sources for this piece include an article in ArsTechnica.