LastPass, one of the most popular password management tools on the market, disclosed that it has been breached. This is the second time this year the company has disclosed a breach. LastPass CEO Karim Toubba said in a press release that “certain elements of our customers’ information” was accessed by the attackers.
“We recently detected unusual activity within a third-party cloud storage service, which is currently shared by both LastPass and its affiliate, GoTo. We immediately launched an investigation, engaged Mandiant, a leading security firm, and alerted law enforcement,” said Toubba.
Despite the attackers accessing customer information, Toubba believes that customer passwords remain intact.
“We have determined that an unauthorized party, using information obtained in the August 2022 incident, was able to gain access to certain elements of our customers’ information. Our customers’ passwords remain safely encrypted due to LastPass’s Zero Knowledge architecture,” continued Toubba.
While the third-party cloud service provider was not named, according to TechCrunch it is believed that it is most likely AWS. A 2020 company blog post by AWS cited the company’s transition of a billion customer records to Amazon’s cloud platform.
In August, Toubba said that an “unauthorized party gained access to portions of the LastPass development environment through a single compromised developer account.” Product source code was part of the stolen data.
LastPass is still working with Mandiant to understand what specific data was accessed.
