Posted on December 1, 2022 at 11:55 AM
LastPass has said that unknown threat actors gained unauthorized access to its cloud storage through information stolen in a previous breach in August 2022. The company has said that the threat actors used the compromised storage service to access customer information.
LastPass reports a breach of customer data
LastPass suffered from a security breach on August 2022. The consequences of this breach are now being seen as the attackers used data in the first breach to access customer information.
The company issued a statement, “We recently detected unusual activity in a third-party cloud storage service, which is currently shared by both LastPass and its affiliate, GoTo. Customer passwords remain safely encrypted due to LastPass’s Zero Knowledge architecture.”
The company noted that the unauthorized party used information obtained during the August 2022 breach to access some features of customer information. The company further added that it had hired the services of the Mandiant cybersecurity firm to investigate this breach. It was also liaising with law enforcement to monitor the effects of the breach.
The company has confirmed that the threat actors did not access customer passwords. The company protected customer passwords using Zero Knowledge architecture. This protected them from being accessed by threat actors during breaching incidents such as the recent one.
LastPass also said that it worked to understand how this incident happened. Moreover, it was also conducting more investigations to understand the kind of information that the threat actors had accessed.
Second security incident in one year
This is the second security breach that LastPass has reported this year. In August, the company confirmed that its developer environment had been compromised through a breached developer account.
The password management company was hacked, allowing the attackers to steal the company’s source code and other proprietary technical information. The company disclosed this hacking incident after BleepingComputer reached out to the firm to confirm the breach. However, there were reports that the company’s employees were racing to contain the breach.
After questions about this breach started, LastPass published an advisory, confirming that a breach had indeed happened. The company said that the breach resulted from a compromised developer account that the hackers used to access the developer environment of the company.
LastPass also said there was no evidence that the breach had resulted in a customer data breach. It further said that password vaults were likely not compromised. However, the attackers accessed parts of the source code and the “proprietary LastPass technical information.”
The advisory from the company also said that by responding to this incident, the company said that it had adopted containment and mitigation measures. Moreover, it had also reached out to one of the leading cybersecurity and forensics companies to understand the extent of the breach. It also added that it had deployed additional security measures to contain the effects of the breach.
“While our investigation is ongoing, we have achieved a state of containment, implemented additional enhanced security measures, and see no further evidence of unauthorized activity,” the company said.
At the time, the company also sent out emails to customers. It confirmed that the attackers had accessed the stolen source code and the proprietary technical information from its systems. The company later issued a follow-up update saying that the attackers had maintained internal access to their systems for four days until they were evicted.
LastPass is one of the leading password management software companies. The company claims that it is used by over 33 million people globally and another 100,000 businesses.
Consumers and businesses adopt the software the company uses to store passwords securely. However, there are also concerns about the company being breached. These concerns revolve around what would happen if the company was hacked and whether a breach on its servers would allow threat actors to access the stored passwords.
However, LastPass has adopted the best infrastructure to protect user passwords securely and reduce the possibility of these passwords being hacked. LastPass’s passwords can only be decrypted using a master password of the customer, and according to LastPass, the master password was not compromised.
In 2021, LastPass suffered from a credential stuffing attack allowing the threat actors to confirm the master password of the user. It further revealed that the master passwords of the company had been stolen by the threat actors distributing the RedLine password-stealing malware.