LastPass reports yet another security breach (updated)
The company says all your passwords are still safely encrypted.
UPDATE 12/22/22 4:45 PM EST: LastPass recently updated its blog with information about its ongoing investigation into the recent security breach. The company warns hackers may attempt to brute force users’ master passwords. Users change their master password and enable two-factor authentication. More updates below.
LastPass is warning its customers about a recent security breach. This follows another hacking incident that occurred in August, which looks like the two are related.
Earlier this week, LastPass CEO Karim Toubba shared a message to customers notifying them of the breach. It also sent emails to its customers with the same message.
“We recently detected unusual activity within a third-party cloud storage service, which is currently shared by both LastPass and its affiliate, GoTo,” Toubba wrote in an email. “We immediately launched an investigation, engaged Mandiant, a leading security firm, and alerted law enforcement.
We have determined that an unauthorized party, using information obtained in the August 2022 incident, was able to gain access to certain elements of our customers’ information. Our customers’ passwords remain safely encrypted due to LastPass’s Zero Knowledge architecture.”
Initially, the company noticed strange activity in its third-party cloud storage service. It immediately began investigating with the help of Mandiant, a leading security firm.
Toubba says the company discovered an ‘unauthorized party’ gained access to certain elements of its customers’ information.
LastPass claims that users’ passwords are safe
The messages confirm that the bad actor accessed this data using information they obtained in the breach back in August. Thankfully, LastPass ensures that users’ passwords are safe, however
“Our customers’ passwords remain safely encrypted due to LastPass’s Zero Knowledge architecture,” reads the statement to customers.
The company is traditionally transparent about breaches and similar activities that could endanger its customers. It will likely update the message page with more information as soon as more details are added.
LastPass didn’t share exactly what kind of information the hacker accessed. But it did confirm that passwords remain safe.
Additionally, the company recommends following these steps to ensure you use the best practices when setting up LastPass.
Consequently, it’s not a good look for a security-focused company to have multiple breaches as much as LastPass has had in the past few months.
However, the company has been very transparent, and it seems like it’s working hard to overcome and avoid these breaches in the future.
UPDATE 12/22/22 4:45 PM EST: LastPass recently posted an update to its blog with information about its ongoing investigation. The post includes details regarding its findings, customer recommendations, and the actions they’re currently taking.
In a nutshell, the investigation revealed that an unknown threat actor accessed the cloud storage using information obtained from a previous incident in August 2022.
The threat actor successfully copied a backup of customer vault data stored in an encrypted format.
Still, the data remains secured with 256-bit AES encryption and can only be decrypted with a unique key derived from each user’s master password.
The company warns hackers may attempt to use brute force to guess the master passwords and decrypt the copies of vault data, but LastPass’s default master password settings and best practices make this difficult.
LastPass recommends that users change their master password and enable two-factor authentication to protect themselves against attacks.
“We are committed to keeping you informed of our findings, and to updating you on the actions we are taking and any actions that you may need to perform,” writes Karim Toubba , LastPass CEO. “In the meantime, our services are running normally, and we continue to operate in a state of heightened alert.”
- LastPass says your passwords are totally safe and no one’s account was compromised
- LastPass users: it seems some master passwords are out in the wild and compromised
- How to export your LastPass data and switch to another password manager
- LastPass’ Android app is chock-full of trackers, says a security researcher