July 20 marks our first birthday here at LastPass Labs, and we thought it would be a good time to look back over the last year and celebrate some of our successes. It has been a busy year for us. We’ve made demonstrable progress in mapping and understanding our threat environment. And with this knowledge and in conjunction with our security teams, we mitigated these threats to the extent possible. Let’s review some of these highlights from the last 12 months:
• In November 2023, we alerted our customers and the larger community to a phishing campaign leveraging our branding. Due to our team’s response disrupting the threat actors’ operations, the threat actors had to change their tactics. The threat actors were forced to shift tactics including changing IPs, URLs, and emails and finally a move to use QR codes in their phishing emails in order to avoid URL detections before the campaign faded out.
- In December, we proudly reported on an observed 98% decrease in available LastPass customer data in infostealer logs available on dark web markets between April-December 2023. This was a direct result of our efforts to track and disrupt threat actors’ operations targeting our customers’ information.
- In February of this year, we detected a fraudulent app in the Apple App Store impersonating our brand. We notified Apple of the app and had it promptly taken down. However, the incident highlighted that even trusted sources sometimes make mistakes and that an extra set of eyes looking out for our customers makes a big difference.
- In April, we reported on an attempted scam call to one of our employees leveraging an audio deepfake of our CEO. The attempt was not successful, but we wanted to share our experience as well as the best practices that helped protect us against the attempt. We’ve spoken widely about this attempt because we believe it represents the future of social engineering and that cooperation across the industry is the best defense.
- Finally, in April of this year, LastPass customers were the focus of a sustained phishing campaign associated with the CryptoChameleon phishing and social engineering group. We quickly alerted our customers, and we highlighted the new information and tactics of these threat actors on this blog to raise awareness both for our community and the larger industry.
The entire LastPass Labs team, which has continued to grow over the last year, continues to focus on keeping our customers, our company, and our industry safe, and we remain committed to sharing our findings and best practices as widely as we can. We’re proud of these achievements and look forward to many more in the future… we’re just getting started.
