LastPass CEO Karim Toubba has revealed that the password manager has been hacked again. Toubba said the company detected unusual activity within a third-party cloud storage service it shares with its parent company GoTo, formerly known as LogMeIn. To investigate the incident, LastPass partnered with security firm Mandiant. Together, they determined that the unauthorized party broke into LastPass’s cloud service using information obtained from the security breach it suffered in August of this year. Additionally, they discovered that the bad actor was able to access “certain elements” of his clients’ information.
If you recall, LastPass was hacked in August and Toubba admitted after an investigation that the unauthorized party had had internal access to his systems for four days. The hacker was able to steal some source code and technical information from the password manager, but LastPass said customer data and encrypted password vaults remained intact. Apparently, the attacker’s access was limited to the service’s development environment. While the unauthorized party was able to access some user information this time, LastPass said customer passwords remain securely encrypted.
In an announcement, remote work and collaboration tools provider GoTo admitted that bad actors had entered its development environment. Like LastPass, the company has assured its customers that its products and services are fully functional despite the breach. The password manager and its parent company are still investigating the incident to understand its scope, so we’ll likely have more details in the coming months.
All products recommended by Engadget are selected by our editorial team, independent of our parent company. Some of our stories include affiliate links. If you purchase something through one of these links, we may earn an affiliate commission. All prices correct at time of publication.
