Identity & Access Management , Security Operations

LastPass Breach Exposes Customer Data

Hackers Gained Access From Information Stolen in Previous Attack
LastPass Breach Exposes Customer Data
Image: iMattSmart/Unsplash

Hackers obtained customer information but not passwords, password manager LastPass said in a Wednesday update to a cybersecurity incident first detected in August.

See Also: OnDemand | Identity Crisis: How to Combat Session Hijacking and Credential Theft with MDR

The access control specialist said an unauthorized party used information stolen during a dayslong incident in August to more recently break into its third-party cloud storage service.

The hacker "was able to gain access to certain elements of our customers' information," wrote LastPass CEO Karim Toubba in a blog post - without specifying which elements.

Passwords were unaffected, Toubba insisted. "Our customers' passwords remain safely encrypted due to LastPass's Zero Knowledge architecture." He also wrote that an investigation was launched immediately after the first incident, with outside assistance from Mandiant.

Mandiant also investigated the August security incident and determined that the threat actor had penetrated the LastPass development environment for four days. The hacker got in using a compromised endpoint (see: Hacker Accessed LastPass Internal System for 4 Days).

Once inside, the hacker impersonated the developer after the actual employee supplied multifactor authentication credentials.

The company says it has more than 33 million registered customers and serves more than 100,000 businesses. For obvious reasons, password managers are hacking magnets, but cybersecurity experts continue to recommend them as a solution to common security pitfalls such as weak or repeated passwords. A recent survey by Consumer Reports found that only 39% of consumers use a password manager.

Users who combine strong and unique passwords with multifactor authentication, especially in the form of a security key, make their accounts even more resistant to hacking, decreasing the potential fallout should the unthinkable occur and a password manager actually fully succumb to hackers.


About the Author

Prajeet Nair

Prajeet Nair

Assistant Editor, Global News Desk, ISMG

Nair previously worked at TechCircle, IDG, Times Group and other publications, where he reported on developments in enterprise technology, digital transformation and other issues.




Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing bankinfosecurity.com, you agree to our use of cookies.