Password management app LastPass says it's investigating a security incident after an “unauthorized party” hacked into its systems on Wednesday and gained access to some customer information.
The information was stored in a third party cloud service shared between LastPass and the parent company. GoTo,” LastPass CEO Karim Tubba said in a blog post. Tubba said the hackers used information stolen from LastPass systems in a separate previously disclosed incident that occurred in August of this year. Tubba added on his blog that “customer passwords remain securely encrypted.”
We recently discovered unusual activity on a third-party cloud storage that both parties are currently using. LastPass and its subsidiary GoTo. We immediately launched an investigation, brought in Mandiant, a leading security firm, and notified law enforcement.
We have determined that an unauthorized party, using information obtained from the August 2022 incident, was able to gain access to certain elements of our customers' information. Our customers' passwords remain securely encrypted thanks to LastPass' zero-knowledge architecture.
According to a blog post on August 22, in a previous incident, an attacker gained access to the LastPass development environment using a compromised developer endpoint to steal source code and some proprietary LastPass technical information. At the time, LastPass said its systems “prevented an attacker from accessing any customer data or encrypted password vaults.”
LastPass is currently working to understand the scope of the Wednesday incident and determine which specific information has been accessed. . GoTo, formerly LogMeIn, said it was also investigating the incident, although it did not explain whether GoTo users were affected by the hack. In the meantime, LastPass products and services remain “fully functional,” Tubba said.
Tags: LastPass, security[ 39 comments ]