What just happened? LastPass, the popular password manager that boasts over 33 million customers and 100,000 business users, has been hacked, again. The company says that, unlike the last time, user data was exposed in this latest incident, but the company stresses that passwords were not compromised.
LastPass CEO Karim Toubba writes that LastPass recently detected unusual activity within a third-party cloud storage service that the organization and affiliate GoTo currently share.
It’s been determined that the hackers were able to gain access to “certain elements” of customers’ data. This was achieved using information acquired from the hack on LastPass in August when cybercriminals took portions of the site’s internal source code and documents relating to propriety technical information. The hackers gained access on that occasion using a compromised developer account and snooped around the systems for four days before being discovered and booted.
We recently detected unusual activity within a third-party cloud storage service, which is currently shared by both LastPass and its affiliate GoTo. Customer passwords remain safely encrypted due to LastPass’s Zero Knowledge architecture. More info: https://t.co/xk2vKa7icq pic.twitter.com/ynuGVwiZcK
— LastPass (@LastPass) November 30, 2022
Any security breach on a password manager is going to raise concerns over stolen passwords, obviously, but LastPass emphasizes that these remain safe thanks to its Zero Knowledge architecture, which ensures only the user knows the master password and encryption occurs only on the device level. As such, LastPass is not recommending that users change their passwords.
Toubba said LastPass is continuing to work on understanding the scope of the incident and identifying what specific information has been accessed. It has engaged leading security firm Mandiant and alerted law enforcement.
Despite being massively popular and an excellent piece of software, this marks another occasion where LastPass’ security practices have come under question. In 2019, the company patched a security flaw that could have allowed hackers to scrape login details from the last site users visited. There was also a browser extension vulnerability in 2017.
In December, LastPass users reported that people were attempting to log in to their accounts from unknown locations using their correct master passwords. The company claimed these were likely the result of customers reusing passwords across multiple sites.
If you are a LastPass user concerned by these incidents, downloading the authenticator app to help safeguard your account by requiring two-factor authentication codes when signing in adds an extra layer of protection.