LastPass and its affiliate GoTo (formerly LogMeIn) have announced that they suffered a security incident and, in LastPass’ case, a possible data breach.
“Based on the investigation to date, we have detected unusual activity within our development environment and third-party cloud storage service,” GoTo CEO Paddy Srinivasan noted, and explained that the third-party cloud storage service in question is shared by GoTo, a cloud-baser SaaS provider of remote work collaboration and IT management tools, and LastPass, the company behind the popular password manager of the same name.
Both companies have engaged Mandiant to help their internal teams investigate the issue and have alerted law enforcement. Also, both companies’ products and services “remain fully functional.”
While GoTo does not mention any compromised information, LastPass CEO Karim Toubba said that their preliminary investigation has shown that “an unauthorized party, using information obtained in the August 2022 incident, was able to gain access to certain elements of our customers’ information,” but that the customers’ passwords “remain safely encrypted due to LastPass’s Zero Knowledge architecture.”
The August 2022 incident he referred to resulted in a breach and the exfiltration of portions of source code and some proprietary LastPass technical information.
Whether that stolen information has helped attackers perpetrate this latest breach is yet unknown. But, as confimed by the company a month later, that previous breach did result in code-poisoning or malicious code injection, nor the theft of customer data.
LastPass is yet to share what customer information has been accessed in this latest attack.