LastPass revealed another data breach in which cybercriminals gained access to customer data stored in a cloud service from a third party.

According to the company’s CEO, Karim Toubba, the attackers used information stolen from the August this year security breach with the company to gain access to the cloud space that the company shared with its GoTo affiliate.

Key executives, or “password manager”, are programs that manage all our passwords in one place, remember them for us, and even suggest very complex combinations of characters that we don’t have to remember.

In August 2022, LastPass confirmed that a threat actor had compromised the company’s development environment for four days using a developer account. They also obtained access to source code and some proprietary technical information, but did not have access to customer data or data vaults. encrypted passwords.

This time, however, the leak has consequences for its users. LastPass now claims the attacker used information obtained in the previous incident to facilitate the November 2022 data breach and access undisclosed elements of LastPass customer information.

compromised data

On November 30, 2022, LastPass notified customers that it has detected unusual activity within a third-party cloud storage service shared with its affiliate, GoTo, formerly LogMeIn.

The password management firm has taken on cybersecurity firm Mandiant in an investigation that confirmed unauthorized access to third-party shared cloud customer data.

“We have determined that an unauthorized party, using information obtained in the August 2022 incident, was able to access certain elements of our customer information,” LastPass said in a blog post.

However, LastPass said that the exposed data is not passwords, which would be the worst, but information such as email.

The company has also notified law enforcement and has begun work to determine the nature of the stolen customer data.

“Our customers’ passwords remain securely encrypted thanks to LastPass’ Zero Knowledge architecture,” they explained.

Thus, cracking password hashes would not be a trivial task, as LastPass allows users to generate strong passwords. Furthermore, the company assured its customers that it would continue improve your defenses to prevent further threat activity on your infrastructure.

“As part of our efforts, we continue to implement advanced security measures and monitoring capabilities in our infrastructure to help detect and prevent further activity by threat actors.”

LastPass had notified its customers that the cybercriminals had not injected any malicious code during the breach. security August 2022, as the developers were unable to directly push the code into production. Additionally, the company explained that its development environment was physically separate from the production environment.

“Developers don’t have the ability to push source code from development to production. This capability is limited to a separate build release team and can only occur after rigorous code review, testing, and validation processes have been completed.

Apparently, the cybercriminals managed to create a backdoor which they then exploited to gain access to customer data.

For this reason, it is still recommended that you change the master key for all LastPass users.