On November 30, Karim Toubba, CEO of password management tool LastPass, publicly admitted that through a new vulnerability, hackers gained access to LastPass’s third-party cloud storage servers and gained access to critical information about some customers. But exactly how many customers were affected and what sensitive information the hackers stole was not yet disclosed.
After Last Pass publicly acknowledged the data breach, the company further emphasized that “due to LastPass’s advanced Zero Trust architecture, customers’ passwords remain securely encrypted.” ”
But this guarantee doesn’t seem to keep customers happy. After all, in August 2022, LastPass also publicly admitted that hackers had entered LastPass’s internal systems and stolen some of the source code and sensitive data. Just three months later, LastPass had a data breach of this magnitude.
Public information shows that LastPass is an online password manager and page filter that uses strong encryption algorithms, and automatic login/cloud synchronization/cross-platform/support for multiple browsers. The company claims that its products are used by more than 100,000 businesses and 33 million people, making it the world’s largest online password manager.
It is worth mentioning that there is a link between the data breach in November and the source code breach that occurred in August, and according to Karim Toubba, CEO of LastPass, hackers used “information obtained during the August incident” to gain access to user data.
LastPass said that it has hired Mandiant, a professional cybersecurity company, to investigate the incident and report the attack to law enforcement.
In recent years, LastPass has been prone to data and password leakage scandals. At the end of 2021, many LastPass users received a LastPass login email warning that their master password had been compromised and that someone was trying to log into their account from an unknown location. Afterward, LastPass responded to the abnormal login that there was no evidence of a data breach, but users did not buy it and questioned the security of LastPass.
Lastpass’s parent company, GoTo, was also affected
Since the third-party cloud storage service is shared by LastPass and its parent company GoTo (formerly known as LogMeIn), the attack also affected GoTo’s development environment and third-party cloud storage service and leaked the corresponding data.
GoTo said the attack did not affect their products and services, and that they are still functional. To better ensure security, GoTo said it deployed “enhanced security measures and surveillance capabilities” in the aftermath of the attack.
Some foreign media asked GoTo for specific information about the incident and related consequences, such as the time of the attack or whether the source code was stolen, but have not yet received a reply.