LastPass admits new hack, some customer data exposed

Information that hackers got from an August hack of password management provider LastPass was used to compromise the company again, its CEO has acknowledged.

“We have determined that an unauthorized party, using information obtained in the August 2022 incident, was able to gain access to certain elements of our customers’ information,” Karim Toubba said in a statement Wednesday.

The discovery, Toubba said, came after the company recently detected unusual activity within a third-party cloud storage service, which is currently shared by both LastPass and its affiliate, GoTo

Customers’ passwords remain safely encrypted, he added.

“We are working diligently to understand the scope of the incident and identify what specific information has been accessed. In the meantime, we can confirm that LastPass products and services remain fully functional. As always, we recommend that you follow our best practices around setup and configuration of LastPass, which can be found here.” 

As part of its efforts, Toubba said, LastPass continues to deploy enhanced security measures and monitoring capabilities across its infrastructure to help detect and prevent further threat actor activity. 

Given the vast number of passwords it protects globally, Lastpass remains a big target, said Yoav Iellin, a senior researcher at Silverfort.

While LastPass admitted the threat actor gained access using information obtained in the previous compromise, exactly what this information is remains unclear, he said. Typically,  Iellin added, it’s best practice after suffering a breach for an organization to generate new access keys and replace other compromised credentials to ensure things like cloud storage and backup access keys cannot be reused.

LastPass subscribers should watch out for updates, and verify they are legitimate before taking any action. If they haven’t done so already, they should change the passwords and enable two-factor authentication on any applications with passwords in LastPass, he also said.

In the August incident, some of the company’s source code was stolen after one of its developer accounts was hacked.

The company says it has 100,000 business customers, as well as individual users. Combined, it counts 33 million registered users, with “the significant majority” represented by corporate customers.

Would you recommend this article?

Share

Thanks for taking the time to let us know what you think of this article!
We'd love to hear your opinion about this or any other story you read in our publication.


Jim Love, Chief Content Officer, IT World Canada

Featured Download

Howard Solomon
Howard Solomon
Currently a freelance writer. Former editor of ITWorldCanada.com and Computing Canada. An IT journalist since 1997, Howard has written for several of ITWC's sister publications, including ITBusiness.ca. Before arriving at ITWC he served as a staff reporter at the Calgary Herald and the Brampton (Ont.) Daily Times.

Related Tech News

Get ITBusiness Delivered

Our experienced team of journalists brings you engaging content targeted to IT professionals and line-of-business executives delivered directly to your inbox.