Leading password manager LastPass and its affiliate, communications software provider GoTo, has revealed it suffered a breach to its cloud storage infrastructure following a cyberattack in August 2022.
In an update (opens in new tab) regarding the ongoing incident, the company admits that it has recently detected “unusual activity” within a third-party cloud storage service used by both LastPass and GoTo.
The results of Lastpass’ investigation, signed by LastPass CEO Karim Toubba and involving security experts from Mandiant, showed that someone used the credentials leaked in the incident to gain access to “certain elements” of LastPass’ customer information
Passwords are safe
Toubba did not go into further details about the type of data that was accessed, but he did say that the user passwords were untouched.
“Our customers’ passwords remain safely encrypted due to LastPass’s Zero Knowledge architecture,” he said.
“While our investigation is ongoing, we have achieved a state of containment, implemented additional enhanced security measures, and see no further evidence of unauthorized activity.”
By virtue of being one of the most popular business password managers and generators out there, with over 100,000 businesses relying on it daily, LastPass is no stranger to data breaches committed by cybercriminals.
TechRadar Pro has previously reported that the company confirmed In late September 2022 that the threat actor responsible for the original breach in August lurked for days in its network, before ousted.
However, the threat actor did not manage to access internal customer data, or encrypted password vaults at the time. LastPass claims that the latest development has not changed that, owing to its Zero Knowledge architecture (opens in new tab).
“Although the threat actor was able to access the Development environment, our system design and controls prevented the threat actor from accessing any customer data or encrypted password vaults,” Toubba said at the time.
The attacker was apparently able to access the company’s Development environment through a developer’s compromised endpoint.
The investigation and forensics did not manage to determine the exact method used for the initial endpoint compromise, Toubba did say the attackers utilized their persistent access to impersonate the developer after successfully authenticating with multi-factor authentication.