An attacker recently gained access to an outside cloud storage service used by LastPass and was able to obtain customer data, the company said Wednesday.
LastPass CEO Karim Toubba said that the intruder used some data stolen during a previous attack on the company’s network in order to get access to the cloud storage system. In August, LastPass disclosed that an attacker had compromised a developer account inside the company and used that access in order to steal some of the company’s source code and other information.
“We have determined that an unauthorized party, using information obtained in the August 2022 incident, was able to gain access to certain elements of our customers’ information. Our customers’ passwords remain safely encrypted due to LastPass’s Zero Knowledge architecture,” Toubba said.
“We are working diligently to understand the scope of the incident and identify what specific information has been accessed. In the meantime, we can confirm that LastPass products and services remain fully functional.”
Toubba said that none of the company’s products or services were affected by the intrusion. The August incident seems to have been more serious than the most recent one and clearly still having effects. That intrusion lasted several days and the attacker had direct access to the LastPass development environment. The good news in that case was that the development environment has no connection to the production environment, but whatever information the attacker was able to steal in that incident aided the second intrusion.
“Our investigation determined that the threat actor gained access to the Development environment using a developer’s compromised endpoint. While the method used for the initial endpoint compromise is inconclusive, the threat actor utilized their persistent access to impersonate the developer once the developer had successfully authenticated using multi-factor authentication,” Toubba said of the August incident.
“Although the threat actor was able to access the Development environment, our system design and controls prevented the threat actor from accessing any customer data or encrypted password vaults.”
LastPass’s password manager is used widely by enterprises as well as consumers.