LastPass Investigates Another Security Incident, Exposes Customers' Information

They detected unusual activity within a third-party cloud storage device, which was shared with its parent company GoTo.

LastPass announced that they have experienced a data breach for the second time. A third-party cloud storage service was accessed by hackers that were used by the company. Because of this, hackers were able to gain access to certain elements of customers' information.

Cyber Security Concerns In The Global Wake of Hacking Threat
LONDON, ENGLAND - AUGUST 09: In this photo illustration, the logo for online password manager service "LastPass" is reflected on the internal discs of a hard drive on August 09, 2017 in London, England. With so many aspects of life requiring passwords and login information, password managers are becoming increasingly popular among consumers and businesses. Leon Neal/Getty Images

LastPass Experiences Another Data Breach

Another data breach was experienced by password manager Last Pass, making it the second this year. According to the announcement, the company detected unusual activity within a third-party cloud storage device. This was shared both by the company and its affiliate, GoTo.

Because of this, the password manager investigated the activity by engaging with a leading security firm Mandiant. The company added that they also alerted law enforcement during the investigation.

According to Chief Executive Officer Karim Toubba, an authorized party gained access to some of the information of the customers, which was stored in a third-party cloud service. The information that was used by the unauthorized party was stolen from their system in August.

Toubba added that informing the public is important to keep with the commitment of the company to transparency. While they laid out the process of obtaining the data, no specific customer information was said by the executive on what was taken by the hackers. He added, "We are working diligently to understand the scope of the incident and identify what specific information has been accessed."

He also clarified that the customers' passwords remain safely encrypted with help of LastPass's Zero Knowledge architecture. Through this, The Verge reported that only the user knows their master password as it is with encryption that is locked at the device level, instead of the server side.

Previous Data Breach

In August, LastPass also announced to the pubic that an unauthorized party gained access to some of the company's portions of the development environment through a single compromised developer account. Through this, it took portions of source code and some proprietary information of the company.

TechCrunch reported that they have prevented the threat actor to access any customer data or even the encrypted password vaults because of its system design and controls. The recent hack might be connected to the previous one, especially since Toubba says that hackers obtain access through the August incident.

He added, "As part of our efforts, we continue to deploy enhanced security measures and monitoring capabilities across our infrastructure to help detect and prevent further threat actor activity."

Despite the breach, the service remains fully functional, as the company clarified that an investigation was already ongoing. Meanwhile, GoTo Spokesperson Elizabeth Bassler did not give any comment regarding the breach.

Written by Inno Flores
TechTimes
ⓒ 2024 TECHTIMES.com All rights reserved. Do not reproduce without permission.
Join the Discussion
Real Time Analytics