The August 2022 cyber attack on LastPass seems to have begat another incident, according to company CEO Karim Toubba
Credential management specialist LastPass has disclosed a new cyber security incident – its second in four months – that seems to have its roots in the first.
The company launched an investigation, notified law enforcement and brought on board expertise from Mandiant, after it spotted unusual activity in an undisclosed third-party cloud storage service, which it shares with its affiliate GoTo, a unified communications company.
LastPass CEO Karim Toubba said the investigation found that an unauthorised party used information stolen in the August 2022 incident to access “certain elements” of customers’ information. Customer passwords were not impacted and remain safely encrypted, he said.
Silverfort senior researcher Yoav Iellin commented: “Given the vast amount of passwords it protects globally, LastPass remains a big target.
“The company has admitted the threat actor gained access using information obtained in the previous compromise. Exactly what this information is remains unclear, but typically, it is best practice after suffering a breach for the organisation to generate new access keys and replace other compromised credentials. This ensures things like cloud storage and backup access keys cannot be reused.
Iellin added: “For worried users, ensure you watch out for updates from the company and take time to verify that these are legitimate before taking any action.
“In addition, ensuring you have two-factor authentication on any applications with passwords in LastPass, and changing passwords, will provide the utmost level of security.”