Credential management specialist LastPass has disclosed a new cyber security incident – its second in four months – that seems to have its roots in the first.
The company launched an investigation, notified law enforcement and brought on board expertise from Mandiant, after it spotted unusual activity in an undisclosed third-party cloud storage service, which it shares with its affiliate GoTo, a unified communications company.
LastPass CEO Karim Toubba said the investigation found that an unauthorised party used information stolen in the August 2022 incident to access “certain elements” of customers’ information. Customer passwords were not impacted and remain safely encrypted, he said.
“We are working diligently to understand the scope of the incident and identify what specific information has been accessed,” said Toubba. “In the meantime, we can confirm that LastPass products and services remain fully functional. As always, we recommend that you follow our best practices around setup and configuration of LastPass.”
The fact that LastPass customer data appears to have been accessed means the latest incident is potentially more impactful than the first.
The August 2022 cyber attack saw a threat actor compromise a LastPass developer’s endpoint to access the firm’s development environment, establish persistent access once the developer, and steal portions of source code and some proprietary technical information.
It is now clear that this information has proved of some value, although LastPass did not say whether or not its latest attacker was the same individual, or whether the information was sold on in some way.
Toubba added: “As part of our efforts, we continue to deploy enhanced security measures and monitoring capabilities across our infrastructure to help detect and prevent further threat actor activity.
“We thank you for your patience while we work through our investigation. As is our practice, we will continue to provide updates as we learn more.”
Silverfort senior researcher Yoav Iellin commented: “Given the vast amount of passwords it protects globally, LastPass remains a big target.
“The company has admitted the threat actor gained access using information obtained in the previous compromise. Exactly what this information is remains unclear, but typically, it is best practice after suffering a breach for the organisation to generate new access keys and replace other compromised credentials. This ensures things like cloud storage and backup access keys cannot be reused.
Iellin added: “For worried users, ensure you watch out for updates from the company and take time to verify that these are legitimate before taking any action.
“In addition, ensuring you have two-factor authentication on any applications with passwords in LastPass, and changing passwords, will provide the utmost level of security.”