GoTo Disclosed Data Breach and LastPass Hacked Again
Once again the master password vault "LastPass" prompts another data breach this year. LastPass says unknown attackers breached its cloud storage using information stolen during a previous security incident from August 2022.
On the blogpost LastPass says-
We recently detected unusual activity within a third-party cloud storage service, which is currently shared by both LastPass and its affiliate, GoTo.
Additionally, the company added an unauthorized party gained access to certain elements of customers’ information using information obtained in the August 2022 incident.
Moreover, the popular cloud-based remote work tool GoTo (formerly LogMeIn) also disclosed the data breach incident.
GoTo said they have detected unusual activity within their development environment and third-party cloud storage service. The third-party cloud storage service is been shared by both GoTo and its affiliate, LastPass.
GoTo said threat actors gained access to their development environment and third-party cloud storage service.
LastPass said they have hired Mandiant, a leading security firm to investigate the incident and also notified law enforcement regarding the matter.
The company assured that the customers' passwords have not been compromised and "remain safely encrypted due to LastPass's Zero Knowledge architecture."
Second Breach in a year
This was the second security incident disclosed by LastPass this year. Earlier the company disclosed a security incident in the month of August, where an attacker accessed the development environment and stole some of the source code as well as “some proprietary LastPass technical information,”.
At that time also, LastPass worked with Mandiant and the investigation revealed that the threat actor’s activity was limited to four days in August 2022. During this timeframe, the LastPass security team detected the threat actor’s activity and then contained the incident.
Last year, Multiple LastPass users have reported there were login attempts on their accounts using their correct master passwords. People started getting emails from LastPass telling them that the correct master passwords were used, but that the attempts were still blocked due to the unusual geographic location.
On the year 2015 also LastPass revealed a security incident where LastPass account email addresses, password reminders, server per user salts, and authentication hashes were compromised.
Join the conversation