LastPass admits new hack, some customer data exposed

Information that hackers got from an August hack of password management provider LastPass was used to compromise the company again, its CEO has acknowledged.

“We have determined that an unauthorized party, using information obtained in the August 2022 incident, was able to gain access to certain elements of our customers’ information,” Karim Toubba said in a statement Wednesday.

The discovery, Toubba said, came after the company recently detected unusual activity within a third-party cloud storage service, which is currently shared by both LastPass and its affiliate, GoTo

Customers’ passwords remain safely encrypted, he added.

“We are working diligently to understand the scope of the incident and identify what specific information has been accessed. In the meantime, we can confirm that LastPass products and services remain fully functional. As always, we recommend that you follow our best practices around setup and configuration of LastPass, which can be found here.” 

As part of its efforts, Toubba said, LastPass continues to deploy enhanced security measures and monitoring capabilities across its infrastructure to help detect and prevent further threat actor activity. 

Given the vast number of passwords it protects globally, Lastpass remains a big target, said Yoav Iellin, a senior researcher at Silverfort.

While LastPass admitted the threat actor gained access using information obtained in the previous compromise, exactly what this information is remains unclear, he said. Typically,  Iellin added, it’s best practice after suffering a breach for an organization to generate new access keys and replace other compromised credentials to ensure things like cloud storage and backup access keys cannot be reused.

LastPass subscribers should watch out for updates, and verify they are legitimate before taking any action. If they haven’t done so already, they should change the passwords and enable two-factor authentication on any applications with passwords in LastPass, he also said.

In the August incident, some of the company’s source code was stolen after one of its developer accounts was hacked.

The company says it has 100,000 business customers, as well as individual users. Combined, it counts 33 million registered users, with “the significant majority” represented by corporate customers.

Would you recommend this article?

Share

Thanks for taking the time to let us know what you think of this article!
We'd love to hear your opinion about this or any other story you read in our publication.


Jim Love, Chief Content Officer, IT World Canada

Featured Download

Howard Solomon
Howard Solomon
Currently a freelance writer, I'm the former editor of ITWorldCanada.com and Computing Canada. An IT journalist since 1997, I've written for several of ITWC's sister publications including ITBusiness.ca and Computer Dealer News. Before that I was a staff reporter at the Calgary Herald and the Brampton (Ont.) Daily Times. I can be reached at hsolomon [@] soloreporter.com

Featured Articles

Empowering the hybrid workforce: how technology can build a better employee experience

Across the country, employees from organizations of all sizes expect flexibility...

What’s behind the best customer experience: How to make it real for your business

The best customer experience – the kind that builds businesses and...

Overcoming the obstacles to optimized operations

Network-driven optimization is a top priority for many Canadian business leaders...

Thriving amid Canada’s tech talent shortage

With today’s tight labour market, rising customer demands, fast-evolving cyber threats...

Staying protected and compliant in an evolving IT landscape

Canadian businesses have changed remarkably and quickly over the last few...

Related Tech News

Tech Jobs

Our experienced team of journalists and bloggers bring you engaging in-depth interviews, videos and content targeted to IT professionals and line-of-business executives.

Tech Companies Hiring Right Now