Leading password manager LastPass and its subsidiary, communications software provider GoTo, have announced that they suffered a breach of their cloud storage infrastructure following a cyberattack in August 2022.
In an update (opens in new tab) Regarding the ongoing incident, the company admits that it recently noticed “unusual activity” on a third-party cloud storage service used by both LastPass and GoTo.
The results of the LastPass investigation, signed by LastPass CEO Karim Toubba with the involvement of Mandiant security researchers, showed that someone used the credentials leaked in the incident to gain access to “certain elements” of LastPass customer data To provide
Passwords are safe
Toubba didn’t elaborate on the type of data being accessed, but he said users’ passwords were untouched.
“Our customers’ passwords remain securely encrypted thanks to LastPass’ zero-knowledge architecture,” he said.
“While our investigation continues, we have achieved a state of containment, implemented additional heightened security measures and see no further evidence of unauthorized activity.”
As one of the most popular enterprise password managers and generators on the market, trusted by over 100,000 businesses every day, LastPass is no stranger to data breaches by cybercriminals.
Tech Radar Pro previously reported that the company confirmed in late September 2022 that the threat actor responsible for the original breach in August lurked on its network for days before being ousted.
However, the attacker was not able to access internal customer data or encrypted password safes at the time. LastPass claims that the latest development hasn’t changed that because of its zero-knowledge architecture (opens in new tab).
“Although the attacker could access the development environment, our system design and controls prevented the attacker from accessing customer data or encrypted password vaults,” Toubba said at the time.
The attacker was apparently able to access the company’s development environment through a compromised developer endpoint.
Investigation and forensics have failed to determine the exact method used for the initial endpoint compromise. Toubba said the attackers used their persistent access to impersonate developers after successfully authenticating using multi-factor authentication.