LastPass's data breach in August permitted a hacker to infiltrate the company again and steal customer data.
LastPass announced on Wednesday that it was investigating the breach, which involved a third-party cloud storage service linked to company systems.
“We have determined that an unauthorized party, using information obtained in the August 2022 incident, was able to gain access to certain elements of our customers’ information,” the company wrote in a blog post(Opens in a new window).
It is unknown what data was stolen. LastPass, on the other hand, has stated that customers' passwords should be safe because the company does not store(Opens in a new window) information on the "Master Password" that customers use to access the encrypted password vaults on the platform.
“We are working diligently to understand the scope of the incident and identify what specific information has been accessed. In the meantime, we can confirm that LastPass products and services remain fully functional,” the company said.
Nonetheless, the incident demonstrates that the August breach at LastPass was more serious than previously thought. At the time, the company confirmed that the August breach only affected internal software development systems and did not include any customer password information. Despite this, the hacker was able to steal portions of the company's source code as well as some proprietary LastPass technical information, which likely paved the way for the subsequent intrusion.
LastPass also announced in September that it had completed its investigation into the breach with the assistance of cybersecurity firm Mandiant. According to the findings, the hacker only had access to the internal systems for four days.
There was also no evidence of tampering. However, it appears that LastPass did not uncover all of the possible ways the hacker could use the access to breach the company again. LastPass did not identify the third-party cloud storage service used by the hacker to breach the company a second time. LastPass, on the other hand, has been sharing the cloud storage service with its affiliate GoTo. Private equity firms currently own both companies.
In response to the new breach, LastPass has implemented additional security measures and increased monitoring of its IT infrastructure. It has also contacted Mandiant and law enforcement to inquire about the hack.