LastPass Security Breach Exposed Some Customer Data, But Details Are Still Slim
Popular password managing tool LastPass has had an eventful past few years. The company — which has been under the ownership of LogMeIn (which itself transitioned to GoTo) since 2015 — was in the news earlier this year following reports of a major security incident, according to PCMag. In early August, the company detected "unusual activity" within its development environment, following which they set out on an internal investigation. While LastPass stopped short of detailing what exactly this unusual activity constituted and what the investigation results were, the incident prompted the company to issue a lengthy blog post.
The blog post claimed no evidence of customer data or password data breach due to the incident. However, LastPass' reluctance to divulge what exactly happened was a cause of concern to many. To reassure LastPass users, the company also published a small FAQ section within the blog post that addressed most users' concerns about the incident.
In September 2022, LastPass made a follow-up blog post as an update and claimed that the August incident was the handiwork of a "threat actor" who was able to access the company's Development environment. However, they were prevented from accessing any customer-centric data, and had no access to LastPass' encrypted password vaults. The blog post ended with a promise that the company would deploy additional security measures to prevent such incidents in the future.
Two months later, on November 30, 2022, LastPass published a new blog post detailing a fresh security event that is loosely connected to the August 2022 event.
Customer information may have been compromised
LastPass' new blogpost continues to be vague about the nature of the latest security incident that has affected the platform. What it does reveal, however, is that the company recently detected yet another incident of "unusual activity" within a third-party cloud storage service connected to LastPass. LastPass stopped short of revealing details surrounding the affected third-party cloud service. However, TechCrunch has hinted at the possibility of the cloud service being AWS. For those unaware, starting in 2020, LastPass began using AWS (Amazon Web Services) to store more than a billion customer records on Amazon's cloud.
We recently detected unusual activity within a third-party cloud storage service, which is currently shared by both LastPass and its affiliate GoTo. Customer passwords remain safely encrypted due to LastPass’s Zero Knowledge architecture. More info: https://t.co/xk2vKa7icq pic.twitter.com/ynuGVwiZcK
— LastPass (@LastPass) November 30, 2022
LastPass goes on to add that the security incident prompted an immediate internal investigation, following which they ascertained that the threat actor was able to access "certain elements" of LastPass' customer information. Interestingly, LastPass has also confirmed that the unauthorized party used data from the August 2022 incident to gain access to LastPass' systems.
While LastPass hasn't revealed the exact nature of customer information that has been breached, they maintain that customers' passwords have not been affected. LastPass also said it had engaged the services of Mandiant — a leading security firm — to help them with the investigation. The company has also notified law enforcement agencies about the same. The company has promised to share more updates surrounding the latest incident after they conclude an internal investigation.