Lastpass discloses the second security breach this year

LastPass disclosed a new security breach, threat actors had access to its cloud storage using information stolen in the August 2022 breach.

Password management solution LastPass disclosed a new security breach, the attackers had access to a third-party cloud storage service using information stolen in the August 2022 breach.

The impacted cloud storage service is GoTo, it is currently shared by both LastPass and its affiliate.

The company launched an investigation into the incident with the support of cyber security firm Mandiant and notified law enforcement.

“We have determined that an unauthorized party, using information obtained in the August 2022 incident, was able to gain access to certain elements of our customers’ information. Our customers’ passwords remain safely encrypted due to LastPass’s Zero Knowledge architecture.” reads the notice of security incident published by the company.

The company pointed out that customers’ passwords were not compromised due to LastPass’s Zero Knowledge architecture. 

In August, LastPass disclosed a security breach, threat actors had access to portions of the company development environment through a single compromised developer account and stole portions of source code and some proprietary technical information.

At the time of the security breach, the company engaged a leading cybersecurity and forensics firm to investigate the incident. LastPass confirmed that the data breach did not compromise users’ Master Passwords.

In an update published in September, the company revealed that the threat actors had access to its systems for four days during the August hack.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

[adrotate banner=”9″]

[adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, password)

[adrotate banner=”5″]

[adrotate banner=”13″]