IT Pro is supported by its audience. When you purchase through links on our site, we may earn an affiliate commission. Learn more

LastPass admits 'elements' of customer data accessed in breach

The password manager denies the exfiltration of any password data in an attack that also hit affiliate GoTo

The word LastPass, next to four asterisks indicating a password

Password manager firm LastPass has revealed that it was subject to another security breach in which a threat actor accessed a system used by the firm, as well as some customer information.

Related Resource

2022 IBM's Security X-Force cloud threat landscape report

Recommendations for preparing and responding to cloud breaches

Whitepaper cover with image of a cloud with seven arrows over it pointing upwards

LastPass said that unusual activity was detected on a third-party cloud storage platform used by LastPass. Following the launch of an investigation involving cyber security firm Mandiant, it was established that a threat actor accessed some customer information.

There is no evidence to suggest that customer passwords were affected or obtained in the attack, and LastPass states that all passwords remain securely encrypted.

The incident follows a similar attack in August in which a hacker stole LastPass source code. In that case, the hacker made use of a compromised developer account to breach the company’s development environment and then stole source code and technical information. At the time, the firm denied that any customer data or password vaults were stolen.

In the statement announcing the recent incident, LastPass CEO Karim Toubba linked the two attacks by suggesting that it was information stolen in the August incident that enabled this new attack.

“We have determined that an unauthorised party, using information obtained in the August 2022 incident, was able to gain access to certain elements of our customers’ information,” said Toubba in a blog post. “Our customers’ passwords remain safely encrypted due to LastPass’s Zero Knowledge architecture.

“We are working diligently to understand the scope of the incident and identify what specific information has been accessed. In the meantime, we can confirm that LastPass products and services remain fully functional.”

LastPass affiliate GoTo (formerly LogMeIn) was also affected in the attack; the two companies share the same third-party cloud storage service. 

In a blog post covering the incident, GoTo CEO Paddy Srinivasan said that the company “detected unusual activity within our development environment and third-party cloud storage service”.

The company stated that all its products and services remain operational and that it is deploying further security measures and monitoring to prevent further activity from threat actors.

GoTo has not offered further information on the specific activity performed within its development environment, and unlike LastPass made no mention of customer information being affected.

"Third-party cloud storage certainly poses risks for organisations," said Javvad Malik, lead security awareness advocate at KnowBe4, to IT Pro. "This will vary depending on the nature of data that is stored or processed on the third-party cloud.

"Data can sometimes be considered similar to chemical elements. On their own, maybe a certain element is stable and benign. But mix it with other stable elements under the right conditions and you could end up with something volatile. 

"Similarly, we cannot completely dismiss any data breach as completely benign. There is always something that can be taken which could be combined with other data elements, or saved for future use. So while the risk may be low, we cannot say there is no risk at all.  In all of this though, it is important to commend LastPass for their exemplary transparency in their incident response."

Password managers are a popular solution for storing logins securely, and can be extremely beneficial for business use especially in roles burdened with a large number of critical passwords.

In addition to safely storing passwords, such managers also generate cryptographically secure passwords that are far more difficult for hackers to guess than the more commonly used ones.

LastPass has urged customers to follow its recommended security practices and is working with GoTo, Mandiant, and law enforcement services to investigate the issue.

IT Pro has approached GoTo for comment.

Featured Resources

2023 Strategic roadmap for data security platform convergence

Capitalise on your data and share it securely using consolidated platforms

Free Download

The 3D trends report

Presenting one of the most exciting frontiers in visual culture

Free Download

The Total Economic Impact™ of IBM Cloud Pak® for Watson AIOps with Instana

Cost savings and business benefits

Free Download

Leverage automated APM to accelerate CI/CD and boost application performance

Constant change to meet fast-evolving application functionality

Free Download

Recommended

GoTo admits hackers stole customer backups in LastPass breach
hacking

GoTo admits hackers stole customer backups in LastPass breach

25 Jan 2023
LastPass customer password vaults stolen, targeted phishing attacks likely
Security

LastPass customer password vaults stolen, targeted phishing attacks likely

23 Dec 2022
Revealed: The top 200 most common passwords of 2022
cyber security

Revealed: The top 200 most common passwords of 2022

17 Nov 2022
Building a better password strategy for your business
Whitepaper

Building a better password strategy for your business

26 Oct 2022

Most Popular

What's powering Britain’s fibre broadband boom?
Network & Internet

What's powering Britain’s fibre broadband boom?

3 Feb 2023
Dutch hacker steals data from virtually entire population of Austria
data breaches

Dutch hacker steals data from virtually entire population of Austria

26 Jan 2023
Windows 10 users locked out of devices by unskippable Microsoft 365 advert
bugs

Windows 10 users locked out of devices by unskippable Microsoft 365 advert

3 Feb 2023