LastPass Breached Again And This Time It Exposed Customer Details To Hackers
The CEO of the password manager LastPass, Karim Toubba, has published a blog post on the company’s website disclosing a recent security breach. According to the blog post, this incident affected both LastPass and its affiliate company GoTo, with a similar blog post appearing on the GoTo website. With the help of the cybersecurity firm Mandiant, LastPass determined that the threat actors behind this recent incident were able to access some customer information. However, users’ passwords were not exposed in the data breach, as LastPass protects this data with end-to-end encryption.
This new LastPass breach comes on the heels of a LastPass security breach in August. This earlier breach did not impact any customer data, as it instead affected the company’s development environment, which LastPass claims doesn’t store customer data and is isolated from the production environment. Nonetheless, the threat actors were able to gain unauthorized access to some LastPass source code and proprietary information stored in the development environment.
Now, the investigation of the new LastPass data breach has revealed that threat actors leveraged information stolen in the earlier breach to conduct the new one, which has affected customer information. The stolen information was stored in an unnamed third-party cloud storage service shared by both LastPass and GoTo. Both companies have yet to disclose what customer information the threat actors may have accessed. All we know is that customer passwords should be safe regardless of what information was stolen, as LastPass’s zero knowledge encryption prevents both threat actors and the company’s own employees from accessing the private keys that decrypt customers’ passwords.
The investigation into this new incident is still ongoing, but hopefully we’ll soon learn what information the threat actors accessed in this new data breach and how they managed to do so. The CEO says in his blog post that LastPass will “continue to provide updates as we learn more,” and the company made good on that promise after the last security breach, publishing an update on the results of its investigation three weeks after the breach was first announced. For now, LastPass users will have to sit tight and wait to hear what information of theirs, if any, was stolen in this data breach.
This new LastPass breach comes on the heels of a LastPass security breach in August. This earlier breach did not impact any customer data, as it instead affected the company’s development environment, which LastPass claims doesn’t store customer data and is isolated from the production environment. Nonetheless, the threat actors were able to gain unauthorized access to some LastPass source code and proprietary information stored in the development environment.
Now, the investigation of the new LastPass data breach has revealed that threat actors leveraged information stolen in the earlier breach to conduct the new one, which has affected customer information. The stolen information was stored in an unnamed third-party cloud storage service shared by both LastPass and GoTo. Both companies have yet to disclose what customer information the threat actors may have accessed. All we know is that customer passwords should be safe regardless of what information was stolen, as LastPass’s zero knowledge encryption prevents both threat actors and the company’s own employees from accessing the private keys that decrypt customers’ passwords.
The investigation into this new incident is still ongoing, but hopefully we’ll soon learn what information the threat actors accessed in this new data breach and how they managed to do so. The CEO says in his blog post that LastPass will “continue to provide updates as we learn more,” and the company made good on that promise after the last security breach, publishing an update on the results of its investigation three weeks after the breach was first announced. For now, LastPass users will have to sit tight and wait to hear what information of theirs, if any, was stolen in this data breach.
