LastPass, a freemium password manager that stores encrypted passwords online, on Wednesday revealed another data breach incident that allowed unknown threat actors to access its cloud storage through information stolen from LastPass’ systems in August this year.
For those unaware, LastPass was involved in another data breach incident in August 2022 that allowed an unauthorized party gain access to portions of the LastPass development environment through a single compromised developer account for four days until they were detected and removed.
The hackers stole snippets of the company’s source code and some proprietary technical information. However, no data within users’ vaults, personal information, or master passwords were compromised in the August incident.
In an update to the Notice of Recent Security Incident, the company said that they recently detected unusual activity within a third-party cloud storage service, which is currently used by both LastPass and its affiliate, GoTo, and immediately started an investigation.
Based on the investigation, LastPass found that an unauthorized party used information obtained in the August 2022 incident to gain access to “certain elements” of customers’ information on the cloud.
The company said its customers’ passwords remain encrypted and safe due to LastPass’s Zero Knowledge architecture.
In response to the incident, LastPass has engaged Mandiant, a leading security firm, and alerted law enforcement.
“We are working diligently to understand the scope of the incident and identify what specific information has been accessed. In the meantime, we can confirm that LastPass products and services remain fully functional,” Karim Toubba, CEO of LastPass said in the notice.
“As part of our efforts, we continue to deploy enhanced security measures and monitoring capabilities across our infrastructure to help detect and prevent further threat actor activity.
“We thank you for your patience while we work through our investigation. As is our practice, we will continue to provide updates as we learn more.”
The company has recommended its users to follow their best practices around the setup and configuration of LastPass, which can be found here.
LastPass is yet to reveal any additional information regarding the data breach, or what customer data was stolen. Since it is an ongoing investigation, we can expect to hear more updates on the matter in the coming weeks.