Karim Toubba, the CEO of LastPass, just announced that LastPass was recently breached. LastPass was also breached in August of 2022. This incident appears to be related to the August 2022 incident.
LastPass detected unusual activity within a third-party cloud storage service, which is currently shared by both LastPass and its affiliate, GoTo. They immediately launched an investigation, engaged Mandiant, a leading security firm, and alerted law enforcement. LastPass determined that an unauthorized party, using information obtained in the August 2022 incident, was “able to gain access to certain elements of our customers’ information”.
LastPass states that “customers’ passwords remain safely encrypted due to LastPass’s Zero Knowledge architecture”. LastPass also states that they are deploying enhanced security measures and monitoring capabilities across their infrastructure to help detect and prevent further threat actor activity.
Lastpass did not state what type of “customer information” was stolen.
LastPass is recommending customers follow their best practices on account setup.
If you use LastPass and do not have multi-factor authentication turned on, now would be a good time to turn it on.