LastPass is a password manager that enables its customers to reduce the reuse of passwords online, by storing them in a single app. The service also helps users to generate strong passwords.
What company told users
“We recently detected unusual activity within a third-party cloud storage service, which is currently shared by both LastPass and its affiliate, GoTo. We immediately launched an investigation, engaged Mandiant, a leading security firm, and alerted law enforcement,” LastPass CEO Karim Toubba said in a blog post.
He noted that the company determined that an unauthorised party gained access to certain elements of our customers’ data by using information obtained in the August 2022 incident.
The CEO says that the company is working to “understand the scope of the incident and identify what specific information has been accessed.” As part of its investigation, the company is deploying “enhanced security measures and monitoring capabilities” across its infrastructure to prevent further threat actor activity.
Toubba says that the customer’s data (passwords) is safe and encrypted with LastPass’s Zero Knowledge architecture. He also noted that LastPass products and services remain fully functional.
Second breach in 5 months
On August 25, LastPass reported that it detected unusual activity wherein an unauthorised party gained access to the service’s portions of the LastPass development environment “through a single compromised developer account.”
“After initiating an immediate investigation, we have seen no evidence that this incident involved any access to customer data or encrypted password vaults,” the CEO said at that time.
Citing its investigation and forensics process, the company also noted that the threat actor’s activity lasted four days and the company then contained the incident.