In August 2022, hackers gained access to the development environment of LastPass and stole some of its source code and proprietary technical information only. LastPass investigated the breach and confirmed that no customer information was accessed or stolen in the attack, but determined they had access to the development environment for 4 days.
Now the world’s most popular password manager has now announced that customer data has been compromised – not in the August breach, but by using information that was obtained from the developer environment. The data stolen in August 2022 allowed the hackers to gain access to a third-party storage service that was shared by LastPass and its affiliate, GoTo (formerly LogMeIn). LastPass launched an investigation into the new hacking incident and engaged the cybersecurity firm Mandiant to assist with the investigation.
That investigation confirmed that the third-party storage service contained some customer data that must be assumed to have been compromised. LastPass is yet to announce what types of customer information have been accessed or obtained in the attack.
LastPass stressed that the password vaults of its customers were not compromised, and no customer master passwords were breached, as the LastPass password manager is based on zero-knowledge architecture. That means that even LastPass does not have access to users’ master passwords and password vaults, so in a cyberattack passwords are secure. Consequently, LastPass customers do not need to change their master passwords.
LastPass said it is still investigating to determine the full scope of the incident to identify exactly what information has been accessed by the attackers. LastPass CEO, Karim Toubba, explained in a November 30, 2022, website breach notice that the notification was issued promptly “in our keeping with our full commitment to transparency.” LastPass also confirmed that “we will continue to deploy enhanced security measures and monitoring capabilities across our infrastructure to help detect and prevent further threat activity.”