Last Pass reports second data breach in three months

Photo (c) JuSun - Getty Images

But the company says customer passwords are encrypted and safe

Last Pass, a company that stores customers’ passwords, has reported another data breach. It’s the second breach since August.

The company said the hackers were able to carry out the second successful attack using the information it obtained during the August breach. Once inside the network, the attackers were able to access additional customer data.

“We recently detected unusual activity within a third-party cloud storage service, which is currently shared by both LastPass and its affiliate, GoTo,” the company said in a security incident report. “We immediately launched an investigation, engaged Mandiant, a leading security firm, and alerted law enforcement.”

Last Pass said the attacker was not able to obtain customers’ passwords. It said that data is encrypted and remains safe.

Second attack stemmed from the first

The company said it has learned so far that the attacker, using information obtained in the August 2022 incident, was able to gain access to certain elements of Last Pass customers’ information.

Last Pass says the August security breach was limited to the LastPass Development environment in which some of the company’s source code and technical information was taken.

In an update in mid-September, the company said it had completed its investigation and found that attackers were inside the network for four days until their presence was found and they were blocked.

It’s not clear when the second attack occurred. The company also did not say what kind of customer data was compromised.

“We are working diligently to understand the scope of the incident and identify what specific information has been accessed,” the company said. “In the meantime, we can confirm that LastPass products and services remain fully functional.”

Take an Identity Theft Quiz. Get matched with an Authorized Partner.