Intruders gain access to user data in LastPass incident

2022-12-01 13:30

Intruders broke into a third-party cloud storage service LastPass shares with affiliate company GoTo and gained access to "Certain elements" of customers' information, the pair have confirmed.

LastPass did not define what it meant by "Certain elements," saying it was unsure what data was looked at: "We are working diligently to understand the scope of the incident and identify what specific information has been accessed this morning."

Users who lose their master passwords can lose access to their vaults, although there are some recovery options.

The criminals had access to LastPass's internal systems for four days, gaining access to portions of the LastPass development environment through a single compromised developer account, and taking sections of source code as well as some proprietary LastPass technical information.

During this period, Lastpass said it had contained the incident, and emphasized that the intruder had not gained access to customer data or encrypted password vaults.

The password manager always had a freemium model, but after the 2019 acquisition moved to a model that pushed harder for punters to shift to the paid service, and was criticized for, among other things, limiting the number of times free users could move from mobile device access to desktop access.

News URL

https://go.theregister.com/feed/www.theregister.com/2022/12/01/lastpass/

#lastpass