Security News
The company was hacked, and customer information accessed. No passwords were compromised.
Intruders broke into a third-party cloud storage service LastPass shares with affiliate company GoTo and gained access to "Certain elements" of customers' information, the pair have confirmed. LastPass did not define what it meant by "Certain elements," saying it was unsure what data was looked at: "We are working diligently to understand the scope of the incident and identify what specific information has been accessed this morning."
LastPass and its affiliate GoTo have announced that they suffered a security incident and, in LastPass' case, a possible data breach. "Based on the investigation to date, we have detected unusual activity within our development environment and third-party cloud storage service," GoTo CEO Paddy Srinivasan noted, and explained that the third-party cloud storage service in question is shared by GoTo, a cloud-baser SaaS provider of remote work collaboration and IT management tools, and LastPass, the company behind the popular password manager of the same name.
Popular password management service LastPass said it's investigating a second security incident that involved attackers accessing some of its customer information. "We recently detected unusual activity within a third-party cloud storage service, which is currently shared by both LastPass and its affiliate, GoTo," LastPass CEO Karim Toubba said.
Popular password management service LastPass said it's investigating a second security incident that involved attackers accessing some of its customer information. "We recently detected unusual activity within a third-party cloud storage service, which is currently shared by both LastPass and its affiliate, GoTo," LastPass CEO Karim Toubba said.
LastPass says unknown attackers breached its cloud storage using information stolen during a previous security incident from August 2022.The company added that, once in, the threat actors also managed to access customer data stored in the compromised storage service.
DUCK. Yes, Uber has come out with a follow up report, and it seems that they're suggesting that a hacking group like LAPSUS$ was responsible. Just because you have those that's a security gate, but it's not the end-all and be-all to keeping someone out.
The big story from last month was the LastPass breach, in which an attacker apparently got access to just one part of the LastPass network, but was able to make off with the company's proprietary source code. LastPass has now published an official follow-up report on the incident, based on what it has been able to figure out about the attack and the attackers in the aftermath of the intrusion.
Password management solution LastPass shared more details pertaining to the security incident last month, disclosing that the threat actor had access to its systems for a four-day period in August 2022. "There is no evidence of any threat actor activity beyond the established timeline," LastPass CEO Karim Toubba said in an update shared on September 15, adding, "There is no evidence that this incident involved any access to customer data or encrypted password vaults."
LastPass says the attacker behind the August security breach had internal access to the company's systems for four days until they were detected and evicted. While method through which the attacker was able to compromise a Lastpass developer's endpoint to access the Development environment, the investigation found that the threat actor was able to impersonate the developer after he "Had successfully authenticated using multi-factor authentication."