Hackers accessed LastPass customer details using information stolen in August hack

Hackers accessed LastPass customer information during an attack that allegedly used information stolen in a previous hack in August, the company has confirmed.

The password managing giant was attacked in August, with the hacker stealing some of the platform’s source code and technical information but not accessing customer information.

On Wednesday, LastPass CEO Karim Toubba said it recently detected “unusual activity” within a third-party cloud storage service that is shared by both LastPass and GoTo, its parent company. 

“We immediately launched an investigation, engaged Mandiant, a leading security firm, and alerted law enforcement. We have determined that an unauthorized party, using information obtained in the August 2022 incident, was able to gain access to certain elements of our customers’ information,” Toubba said. 

“Our customers’ passwords remain safely encrypted due to LastPass’s Zero Knowledge architecture.”

LastPass and GoTo did not respond to requests for comment about what customer information was accessed, nor how the hackers used information harvested in the August incident to gain further access.

Both companies sent emails to customers to update them, and GoTo CEO Paddy Srinivasan also released a statement. They said all of their products and services are fully functional as they continue the investigation into what happened.

During the original incident in August, Toubba wrote, hackers were able to gain access to “portions of the LastPass development environment through a single compromised developer account.”

The hackers stole proprietary LastPass technical information and Mandiant was similarly hired to conduct an investigation. A month later, the company released an update saying the hacker spent four days in their system but that they could not figure out how they had gained access.

“While the method used for the initial endpoint compromise is inconclusive, the threat actor utilized their persistent access to impersonate the developer once the developer had successfully authenticated using multi-factor authentication,” Toubba explained in September. 

“Although the threat actor was able to access the Development environment, our system design and controls prevented the threat actor from accessing any customer data or encrypted password vaults.”

The company said their development environment is physically separated from encrypted vaults, customer data and production environments. They analyzed their code and found no evidence of code-poisoning or malicious code injection.

We recently detected unusual activity within a third-party cloud storage service, which is currently shared by both LastPass and its affiliate GoTo. Customer passwords remain safely encrypted due to LastPass’s Zero Knowledge architecture. More info: https://t.co/xk2vKa7icq pic.twitter.com/ynuGVwiZcK

— LastPass (@LastPass) November 30, 2022

LastPass is the latest security provider this year to face a cyberattack after access management company Okta was attacked by criminal extortion group Lapsus$ in March. 

Chris Vaughan, a vice president at cybersecurity firm Tanium, told The Record that password managers are a challenging but attractive target for a threat actor, as they can potentially unlock a treasure trove of access to accounts and sensitive customer data in an instant if they are breached.

“However, I believe that the benefits of using a secure password management solution often far outweigh the risks of a potential breach,” he said. 

“When layered with the other security recommendations, it's still one of the best solutions to prevent credential theft and associated attacks. We just have to hope that customer confidence has not been impacted too much by these recent attacks.”