Hackers Voice Cloned the CEO of LastPass for Attack

They weren't successful this time, at least.

Faking It

AI scammers have come for the world of security startups — though in this case, thankfully, they were not successful.

In a new blog post from LastPass, the password management firm used by countless personal and corporate clients to help protect their login information, the company explains that someone used AI voice-cloning tech to spoof the voice of its CEO in an attempt to trick one of its employees.

As the company writes in the post, one of its employees earlier this week received several WhatsApp communications — including calls, texts, and a voice message — from someone claiming to be its CEO, Karim Toubba. Luckily, the LastPass worker didn't fall for it because the whole thing set off so many red flags.

"As the attempted communication was outside of normal business communication channels and due to the employee’s suspicion regarding the presence of many of the hallmarks of a social engineering attempt (such as forced urgency)," the post reads, "our employee rightly ignored the messages and reported the incident to our internal security team so that we could take steps to both mitigate the threat and raise awareness of the tactic both internally and externally."

Big Phish

As the company noted in its blog post, these sorts of attacks are on the rise. In fact, a Hong Kong tech worker ended up paying out $25 million to a scammer earlier this year who'd used deepfake technology to make a video impersonating not only his company's CEO, but several other people who worked with him, too.

While this LastPass scam attempt failed, those who follow these sorts of things may recall that the company has been subject to successful hacks before.

In August 2022, as a timeline of the event compiled by the Cybersecurity Dive blog detailed, a hacker compromised a LastPass engineer's laptop and used it to steal source code and company secrets, eventually getting access to its customer database — including encrypted passwords and unencrypted user data like email addresses.

According to that timeline, the clearly-resourceful bad actor remained active in the company's servers for months, and it took more than two months for LastPass to admit that it had been breached. More than six months after the initial breach, Toubba, the CEO, provided a blow-by-blow timeline of the months-long attack and said he took "full responsibility" for the way things went down in a February 2023 blog post.

It's no surprise that in the aftermath of that lengthy breach, which somehow didn't entirely tank the company, its employees are on edge about potential hacks — and lucky for them, good old-fashioned skepticism let them nip this one in the bud.

More on voice cloning: Bone-Chilling AI Scam Fakes Your Loved Ones' Voices to Demand Hostage Ransom