Second Breach in Last Three Months for LastPass

LastPass, a major password manager, has suffered its second breach in the past three months by the same unknown attackers. These threat actors breached LastPass’s third-party cloud storage service, shared by its affiliate “GoTo” and using information stolen during an August 2022 security incident. Once in, they accessed LastPass customer data. LastPass said that it hired security firm Mandiant to investigate and notified law enforcement of the attack. It did announce that customers’ passwords were not compromised and “remain safely encrypted due to LastPass’s Zero Knowledge architecture.” The company had confirmed in August that its developer environment was breached by a compromised developer account during a four-day period. In emails sent to customers at the time, LastPass confirmed the attackers had stolen source code and proprietary technical information from its systems. LastPass’s password management software is used by more than 33 million people and 100,000 businesses.