December 1, 2022

LastPass, the password manager, has informed customers that unknown attacker breached its cloud storage using information stolen during a previous security incident in August 2022. The attacker also managed to access customer data stored in the compromised storage service, but that passwords are safe and encrypted due to LastPass’s Zero Knowledge architecture.

LastPass is one of several password managers on the market that aim to reduce password reuse online by storing them in a single app. It also makes it simpler for users to generate strong passwords when necessary.

LastPass discovered in August that some of its source code and technical information had been stolen as a result of unauthorized access to a third-party storage service the company was using. According to the company’s findings, while the threat actor was able to gain access to the company’s development environment, the system prevented access to customer data or encrypted passwords.

“We recently detected unusual activity within a third-party cloud storage service, which is currently shared by both LastPass and its affiliate, GoTo,” Lastpass said.

“We are working diligently to understand the scope of the incident and identify what specific information has been accessed,” Lastpass added.

Lastpass said it hired security firm Mandiant to investigate the incident and reported it to law enforcement.

The sources for this piece include an article in BleepingComputer.