LastPass admits ‘elements’ of customer data accessed in breach

The password manager denies the exfiltration of any password data in an attack that also hit affiliate GoTo

1 December 2022

LastPass said that unusual activity was detected on a third-party cloud storage platform used by LastPass. Following the launch of an investigation involving cyber security firm Mandiant, it was established that a threat actor accessed some customer information.

There is no evidence to suggest that customer passwords were affected or obtained in the attack, and LastPass states that all passwords remain securely encrypted.

The incident follows a similar attack in August in which a hacker stole LastPass source code. In that case, the hacker made use of a compromised developer account to breach the company’s development environment and then stole source code and technical information. At the time, the firm denied that any customer data or password vaults were stolen.




In the statement announcing the recent incident, LastPass CEO Karim Toubba linked the two attacks by suggesting that it was information stolen in the August incident that enabled this new attack.

“We have determined that an unauthorised party, using information obtained in the August 2022 incident, was able to gain access to certain elements of our customers’ information,” said Toubba in a blog post. “Our customers’ passwords remain safely encrypted due to LastPass’s Zero Knowledge architecture.

“We are working diligently to understand the scope of the incident and identify what specific information has been accessed. In the meantime, we can confirm that LastPass products and services remain fully functional.”

LastPass affiliate GoTo (formerly LogMeIn) was also affected in the attack; the two companies share the same third party cloud storage service. 

In a blog post covering the incident, GoTo CEO Paddy Srinivasan said that the company “detected unusual activity within our development environment and third-party cloud storage service”.

The company stated that all its products and services remain operational and that it is deploying further security measures and monitoring to prevent further activity from threat actors.

GoTo has not offered further information on the specific activity performed within its development environment, and unlike LastPass made no mention of customer information being affected.

Password managers are a popular solution for storing logins securely, and can be extremely beneficial for business use especially in roles burdened with a large number of critical passwords.

In addition to safely storing passwords, such managers also generate cryptographically secure passwords that are far more difficult for hackers to guess than the more commonly used ones.

LastPass has urged customers to follow its recommended security practices and is working with GoTo, Mandiant, and law enforcement services to investigate the issue.

Future Publishing

Read More:

Back to Top ↑