Cyber attackers were able to access a third-party cloud storage service LastPass uses to store customer data. It remains unclear how many customers the data breach impacted but it appears that passwords have not been compromised.
Last week, LastPass has released an official statement. In the statement, they advised that they “immediately launched an investigation, engaged Mandiant, a leading security firm, and alerted law enforcement” and “have determined that an unauthorized party, using information obtained in the August 2022 incident, was able to gain access to certain elements of our customers’ information.” According to an statement by LastPass, more insight into the recent security incident has actually revealed customer data was affected (via 9to5Mac).
LastPass CEO Karim Toubba stated in the update, “We have determined that an unauthorized party, using information obtained in the August 2022 incident, was able to gain access to certain elements of our customers’ information. Our customers’ passwords remain safely encrypted due to LastPass’s Zero Knowledge architecture.”
With us now being in December, LastPass’ CEO states the company is still working through determining the scope of the incident and trying to figure out just what pieces of customer data were accessed.
During the attack in August, LastPass stated that an attacker was able to gain access to its source code and other technical data. As 9to5Mac informs, the company’s owner, LogMeIn, stated that no customer data was compromised during the attack, which has turned out to not be the case with this latest update.