While LastPass initially said it found no evidence that customer data was compromised during a data breach in August, the password management vendor confirmed that information stolen in the attack has now been used to access some customer information, though the scope remains unclear.
LastPass CEO Karim Toubba disclosed the initial data breach in late August, revealing that a single developer account had been compromised. Though source code and "some proprietary LastPass technical information" was stolen, Toubba said an investigation with incident response firm Mandiant determined that there was no evidence that customer data was affected.
However, an updated security incident statement Wednesday confirmed that fallout from the attack continues and might be concerning to customers.
Karim ToubbaCEO, LastPass
"We have determined that an unauthorized party, using information obtained in the August 2022 incident, was able to gain access to certain elements of our customers' information," Toubba wrote in the update. "We are working diligently to understand the scope of the incident and identify what specific information has been accessed."
UPDATE 12/22: LastPass announced the threat actor copied a backup of customer vault data that included unencrypted data such as websites as well as encrypted usernames and passwords, among other data. The threat actor also copied a backup of customer vault data that included "basic customer account information and related metadata including company names, end-user names, billing addresses, email addresses, telephone numbers, and the IP addresses from which customers were accessing the LastPass service."
While the vendor said the encrypted customer data is protected with 256-AES encryption, LastPass warned threat actors may launch brute force attacks on customer accounts to obtain master passwords (which are not stored or maintained at LastPass) and unlock additional usernames and passwords. LastPass said customers who created strong master passwords using the vendor's default settings do not need to take any actions. However, customers who did not use the default settings for master passwords should consider changing their stored passwords.
LastPass said it engaged the services of Mandiant again and contacted law enforcement after detecting unusual activity within a third-party cloud storage service it shares with GoTo, formerly known as LogMeIn, which acquired LastPass in 2015.
The latest update from LastPass represents a marked change in the assessment of the August breach. In a September update after the initial investigation with Mandiant was completed, LastPass wrote: "Although the threat actor was able to access the development environment, our system design and controls prevented the threat actor from accessing any customer data or encrypted password vaults."
Due to the findings, LastPass did not recommend any actions for customers to take regarding compromised data. The password management vendor also said it deployed additional endpoint security controls and monitoring following the August attack.
While LastPass said its services remain functional and customers' passwords safely encrypted, it is unclear if that refers to all passwords or only master ones. It also remains unclear what customer information, or how much, the threat actor obtained in the most recent breach.
LastPass did not respond to requests for comment.