Photo by Amelia Holowaty Krales / The Verge
LastPass has experienced another data breach, but this time, it exposed user data. According to a post from LastPass CEO Karim Toubba, hackers accessed a third-party cloud storage service used by the password manager and were able to âgain access to certain elementsâ of âcustomersâ information.â
Itâs still not clear what information hackers got access to or how many customers were affected, but Toubba says that usersâ passwords werenât compromised.
We recently detected unusual activity within a third-party cloud storage service, which is currently shared by both LastPass and its affiliate GoTo. Customer passwords remain safely encrypted due to LastPassâs Zero Knowledge architecture. More info: https://t.co/xk2vKa7icq pic.twitter.com/ynuGVwiZcK
â LastPass (@LastPass) November 30, 2022
âOur customersâ passwords remain safely encrypted due to LastPassâs Zero Knowledge architecture,â Toubba writes, citing the companyâs policy that means only the user knows their master password, with encryption that occurs only at the device level and not server-side.
This comes just months after LastPass confirmed that hackers had stolen some of its source code in August and had access to LastPassâ internal systems for four days before getting detected. It looks like this new attack is connected, as Loubba says it determined that hackers gained access to user data âusing information obtained in the August 2022 incident.â
âWe are working diligently to understand the scope of the incident and identify what specific information has been accessed,â Toubba says, adding that the service remains âfully functionalâ despite the breach. The company has launched an investigation into what went wrong and said it has also notified law enforcement.