Password manager LassPass said it was investigating a security incident after its systems were compromised for the second time this year.
LastPass CEO Karim Toubba said in a blog post that an “unauthorized party” recently gained access to certain customer information stored in a third-party cloud service shared by LastPass and its parent company, GoTo. Toubba said the unauthorized party used information stolen from LastPass’s systems in August, which the company disclosed at the time.
Toubba did not specify what specific customer information was taken, but said he was working to “understand the scope of the incident and identify the specific information that was accessed.”
GoTo, formerly LogMeIn, which acquired LastPass in 2015, said in an equally vague statement that it was investigating the incident. It’s not yet clear if LogMeIn and GoTo customers are affected by the breach.
LastPass said in August that an unauthorized party “gained access to portions of the LastPass development environment through a single compromised developer account and took portions of the source code and certain proprietary technical information from LastPass.” LastPass said its system design and controls “prevent the threat actor from gaining access to customer data or encrypted password vaults.”
Toubba added in the blog on Wednesday that “customer passwords remain securely encrypted.”
GoTo spokeswoman Elizabeth Bassler declined to comment beyond the LastPass blog post.
If you know more about LastPass and GoTo, contact us through Signal at +1 646.755.8849 or through SecureDrop.
