LastPass says unknown attackers breached its cloud storage using information stolen during a previous security incident from August 2022.
The company added that, once in, the threat actors also managed to access customer data stored in the compromised storage service.
“We recently detected unusual activity within a third-party cloud storage service, which is currently shared by both LastPass and its affiliate, GoTo,” the company said.
“We have determined that an unauthorized party, using information obtained in the August 2022 incident, was able to gain access to certain elements of our customers’ information.”
Lastpass said it hired security firm Mandiant to investigate the incident and notified law enforcement of the attack.
It also noted that customers’ passwords have not been compromised and “remain safely encrypted due to LastPass’s Zero Knowledge architecture.”
“We are working diligently to understand the scope of the incident and identify what specific information has been accessed,” Lastpass added.
We recently detected unusual activity within a third-party cloud storage service, which is currently shared by both LastPass and its affiliate GoTo. Customer passwords remain safely encrypted due to LastPass’s Zero Knowledge architecture. More info: https://t.co/xk2vKa7icq pic.twitter.com/ynuGVwiZcK
— LastPass (@LastPass) November 30, 2022
Breached twice in one year
This is the second security incident disclosed by Lastpass this year after confirming in August that the company’s developer environment was breached via a compromised developer account.
The advisory was published days after BleepingComputer reached out to the company and received no response to questions regarding a possible breach.
In emails sent to customers at the time, Lastpass confirmed the attackers had stolen source code and proprietary technical information from its systems.
In a subsequent update, the company revealed that the attackers behind the August security breach maintained internal access to their systems for four days until they were evicted.
LastPass is behind one of the most popular password management software, claiming that it’s being used by more than 33 million people and 100,000 businesses.