- In August, online password management platform LastPass said it was breached, with its development environment impacted.
- At the time the good news was that no customer data was compromised.
- Now three months later, LastPass says it was breached again, with it still investigating the incident.
Data breaches and hacks (no, they not the same thing) being announced every other week is commonplace these days, which is why we often point to solutions like password managers to promote good cybersecurity habits. As it turns out, however, even password managers are not averse to breaches, as LastPass has confirmed that it recently suffered one, again.
This makes two in a little over three months, with a breach confirmed in August this year. That specific incident saw the LastPass developer environment affected, but importantly for customers, none of their data was compromised.
At the time of writing, we cannot say the same thing about this most recent breach, as the company is still in the process of investigating it. That said, it looks like the August breach may be linked to this latest one.
“We recently detected unusual activity within a third-party cloud storage service, which is currently shared by both LastPass and its affiliate, GoTo (which owns the password manager). We immediately launched an investigation, engaged Mandiant, a leading security firm, and alerted law enforcement,” the company noted in a blog post.
“We have determined that an unauthorized party, using information obtained in the August 2022 incident, was able to gain access to certain elements of our customers’ information. Our customers’ passwords remain safely encrypted due to LastPass’s Zero Knowledge architecture,” it added.
LastPass is also in the process of contacting its customers regarding the breach, with emails being sent out to all.
“We are working diligently to understand the scope of the incident and identify what specific information has been accessed. As part of our efforts, we continue to deploy enhanced security measures and monitoring capabilities across our infrastructure to help detect and prevent further threat actor activity. In the meantime, we can confirm that LastPass products and services remain fully functional,” the email reads.
As a general rule of thumb, when an incident like this occurs, it is best to do some spring cleaning and freshen up any old passwords or logins. We are awaiting further word of what the investigation yields and will update accordingly once LastPass shares said information.