LastPass admits 'elements' of customer data accessed in breach

Password manager firm LastPass has revealed that it was subject to another security breach in which a threat actor accessed a system used by the firm, as well as some customer information.

LastPass said that unusual activity was detected on a third-party cloud storage platform used by LastPass. Following the launch of an investigation involving cyber security firm Mandiant, it was established that a threat actor accessed some customer information.

There is no evidence to suggest that customer passwords were affected or obtained in the attack, and LastPass states that all passwords remain securely encrypted.

The incident follows a similar attack in August in which a hacker stole LastPass source code. In that case, the hacker made use of a compromised developer account to breach the company’s development environment and then stole source code and technical information. At the time, the firm denied that any customer data or password vaults were stolen.

In the statement announcing the recent incident, LastPass CEO Karim Toubba linked the two attacks by suggesting that it was information stolen in the August incident that enabled this new attack.

“We have determined that an unauthorised party, using information obtained in the August 2022 incident, was able to gain access to certain elements of our customers’ information,” said Toubba in a blog post. “Our customers’ passwords remain safely encrypted due to LastPass’s Zero Knowledge architecture.

“We are working diligently to understand the scope of the incident and identify what specific information has been accessed. In the meantime, we can confirm that LastPass products and services remain fully functional.”

LastPass affiliate GoTo (formerly LogMeIn) was also affected in the attack; the two companies share the same third-party cloud storage service.

In a blog post covering the incident, GoTo CEO Paddy Srinivasan said that the company “detected unusual activity within our development environment and third-party cloud storage service”.

The company stated that all its products and services remain operational and that it is deploying further security measures and monitoring to prevent further activity from threat actors.

GoTo has not offered further information on the specific activity performed within its development environment, and unlike LastPass made no mention of customer information being affected.

"Third-party cloud storage certainly poses risks for organisations," said Javvad Malik, lead security awareness advocate at KnowBe4, to IT Pro. "This will vary depending on the nature of data that is stored or processed on the third-party cloud.

"Data can sometimes be considered similar to chemical elements. On their own, maybe a certain element is stable and benign. But mix it with other stable elements under the right conditions and you could end up with something volatile.

"Similarly, we cannot completely dismiss any data breach as completely benign. There is always something that can be taken which could be combined with other data elements, or saved for future use. So while the risk may be low, we cannot say there is no risk at all. In all of this though, it is important to commend LastPass for their exemplary transparency in their incident response."

Password managers are a popular solution for storing logins securely, and can be extremely beneficial for business use especially in roles burdened with a large number of critical passwords.

In addition to safely storing passwords, such managers also generate cryptographically secure passwords that are far more difficult for hackers to guess than the more commonly used ones.

LastPass has urged customers to follow its recommended security practices and is working with GoTo, Mandiant, and law enforcement services to investigate the issue.

IT Pro has approached GoTo for comment.