LastPass, a password management tool, reports that it is looking into a security incident after an “unauthorized entity” on Wednesday breached its servers and obtained some client data.
According to LastPass CEO Karim Toubba in a blog post, the data was kept in a third-party cloud service that both LastPass and its parent company GoTo shared. Additionally, Toubba claimed that the hackers had used data taken from LastPass’ computers in a different, previously known incident in August of this year. However, customers’ passwords “remain safely encrypted,” Toubba stated in the blog post.
A third-party cloud storage provider that LastPass and its partner, GoTo, now use has recently shown strange activity, according to us. So we informed law enforcement, hired Mandiant, a renowned security company, and immediately started an investigation.
We’ve established that a third party could access some aspects of our customers’ information using data collected from the August 2022 incident. However, due to LastPass’s Zero Knowledge architecture, our customers’ passwords are securely encrypted.
A threat actor used a developer’s compromised endpoint to access the LastPass Development environment in a previous incident, according to a blog post from August 22. They were able to obtain source code and some confidential LastPass technical information. However, according to LastPass’s statement, the threat actor couldn’t access any client data or encrypted password vaults.
To determine the extent of the incident that occurred on Wednesday and what specific information was accessed, LastPass is presently investigating. Although GoTo, previously LogMeIn, stated that it looked into the situation, it did not specify whether GoTo users were also impacted. According to Toubba, LastPass’s products and services are still “completely working” in the interim.