LastPass announced that they have experienced a data breach for the second time. A third-party cloud storage service was accessed by hackers that were used by the company. Because of this, hackers were able to gain access to certain elements of customers' information.
LastPass Experiences Another Data Breach
Another data breach was experienced by password manager Last Pass, making it the second this year. According to the announcement, the company detected unusual activity within a third-party cloud storage device. This was shared both by the company and its affiliate, GoTo.
Because of this, the password manager investigated the activity by engaging with a leading security firm Mandiant. The company added that they also alerted law enforcement during the investigation.
According to Chief Executive Officer Karim Toubba, an authorized party gained access to some of the information of the customers, which was stored in a third-party cloud service. The information that was used by the unauthorized party was stolen from their system in August.
Toubba added that informing the public is important to keep with the commitment of the company to transparency. While they laid out the process of obtaining the data, no specific customer information was said by the executive on what was taken by the hackers. He added, "We are working diligently to understand the scope of the incident and identify what specific information has been accessed."
Also Read : Secure Your Passwords While Donating to Charity Through The 'LastPass' Password Manager App
He also clarified that the customers' passwords remain safely encrypted with help of LastPass's Zero Knowledge architecture. Through this, The Verge reported that only the user knows their master password as it is with encryption that is locked at the device level, instead of the server side.
Previous Data Breach
In August, LastPass also announced to the pubic that an unauthorized party gained access to some of the company's portions of the development environment through a single compromised developer account. Through this, it took portions of source code and some proprietary information of the company.
TechCrunch reported that they have prevented the threat actor to access any customer data or even the encrypted password vaults because of its system design and controls. The recent hack might be connected to the previous one, especially since Toubba says that hackers obtain access through the August incident.
He added, "As part of our efforts, we continue to deploy enhanced security measures and monitoring capabilities across our infrastructure to help detect and prevent further threat actor activity."
Despite the breach, the service remains fully functional, as the company clarified that an investigation was already ongoing. Meanwhile, GoTo Spokesperson Elizabeth Bassler did not give any comment regarding the breach.
Related Article : Password Manager 'LastPass' Confirms Hackers had Four Days of Internal Access to the Company's Systems