Password manager with over 25 million users said an unauthorized party gained access to “certain elements of their customers’ information.”
“We recently detected unusual activity within a third-party cloud storage service, which is currently shared by both LastPass and its affiliate, GoTo. We immediately launched an investigation, engaged Mandiant, a leading security firm, and alerted law enforcement,” Karim Toubba, CEO of LastPass, said.
Apparently, a threat actor used information obtained in the August 2022 incident. LastPass disclosed an incident in the summer where an attacker breached systems through a compromised developer account. They took portions of source code and some proprietary LastPass technical information.
No data within users’ vaults, personal information, or master passwords were compromised in the August incident.
While LastPass customers’ passwords remain safe, the password manager said the attacker gained access to “certain elements of their customers’ information” this time. The company didn’t give any details about what that information contained.
“We are working diligently to understand the scope of the incident and identify what specific information has been accessed. In the meantime, we can confirm that LastPass products and services remain fully functional. As always, we recommend that you follow our best practices around setup and configuration of LastPass, which can be found here,” Toubba said.
More from Cybernews:
Subscribe to our newsletter