LastPass discloses data breach: customer information affected

Breach confirmed although customers' passwords remain safe

It was revealed that an unauthorized party managed to access one of the cloud storage services of a third party used by Lastpass, a renowned password-managing app initially released in 2008. Hackers managed to perform the intrusion thanks to the information obtained from a previous breach that occurred earlier this year in August.

Once unknown threat actors managed to break into the said storage, they also gained access to customer information enclosed on it. Despite this, the company broke the news on Twitter, claiming that all users' passwords remain to be undisclosed to criminals thanks to LastPass's Zero Knowledge architecture:^[1]

We recently detected unusual activity within a third-party cloud storage service, which is currently shared by both LastPass and its affiliate GoTo. Customer passwords remain safely encrypted due to LastPass’s Zero Knowledge architecture

While the third-party cloud service wasn’t named, Amazon Web Services noted in a 2020 blog post that the company had transitioned a billion customer records to its own cloud.^[2] GoTo (which was known as LogMeIn before) also released a brief statement, although it is not clear whether the customers of this company were also affected.^[3]

Karim Toubba, the CEO of LastPass, said in the official blog post^[4] that the team at the company is investigating the security breach and has also hired a third-party investigation team at Mandiant to shed more light on what has precisely transpired. Local law enforcement agencies were also informed of the illegal data breach, as required.

Unfortunately, such incidents affect the popularity of this password manager program and the company itself. The trust is compromised, and even sales of the password manager programs or reviews and ratings get affected. It is likely that LastPass is not going to be included in the best password manager lists next year.

The breach was successful due to the previous incident

LastPass is a widely-used password managing software, claimed to be used by more than 33 million people and 100 thousand businesses worldwide.^[5] It is not a secret that high-profile organizations are often targeted by attackers because of how lucrative the exfoliated data can potentially be (especially if the scope of the stolen information is large).

Back in August 2022, it was revealed that the company suffered from the breach, which was also investigated right away. After finishing the investigation, the company said that the intrusion was made possible thanks to the compromised login account of one of the employees.

Toubba said that the attackers managed to spend four days on the local network in August before the incident was contained. According to the advisory, the breach was limited to the source code and proprietary technical information, and no evidence was found pointing out that customer data was affected.

It was noted that “our system design and controls prevented the threat actor from accessing any customer data or encrypted password vaults.”

With this new development, the scope of this subsequent breach is yet to be confirmed by the investigation team, and it could mean that some or all LastPass users could be affected.

Service is operating as normal

In the blog post, the CEO of LastPass said that the breach was disclosed publicly for the sake of transparency. He also claimed that the scope of the security incident is yet to be identified, and it is also not clear which customer information the attackers managed to access and potentially steal.

Toubba urged users to follow the best practices around the setup and configuration of the password-managing app, as the service remains undisturbed despite the incident.

As is common with data breaches, there is not much information available as to what happened precisely, as the investigation is ongoing. Since passwords used in LastPass by customers remain secure, there's no further requirement for them to perform any actions at this time.

Toubba added:

As part of our efforts, we continue to deploy enhanced security measures and monitoring capabilities across our infrastructure to help detect and prevent further threat actor activity.