Password management giant LastPass has suffered a breach of customer information in an attack that may be linked to a previous security breach in August, the firm revealed yesterday.
LastPass CEO, Karim Toubba, said in a notice that there’s an ongoing investigation into the incident led by Mandiant, and that law enforcement had been notified.
“We recently detected unusual activity within a third-party cloud storage service, which is currently shared by both LastPass and its affiliate, GoTo,” he revealed.
“We have determined that an unauthorized party, using information obtained in the August 2022 incident, was able to gain access to certain elements of our customers’ information. Our customers’ passwords remain safely encrypted due to LastPass’s Zero Knowledge architecture.”
It’s unclear exactly what type of customer information has been compromised. The August incident Toubba referred to saw an unauthorized individual use a compromised developer account to access parts of the LastPass development environment.
The firm said at the time that no customer data or passwords had been compromised in the incident, with the attacker only accessing “source code and some proprietary LastPass technical information.”
“We are working diligently to understand the scope of the incident and identify what specific information has been accessed. In the meantime, we can confirm that LastPass products and services remain fully functional,” Toubba declared of the latest breach.
“As part of our efforts, we continue to deploy enhanced security measures and monitoring capabilities across our infrastructure to help detect and prevent further threat actor activity.”