On Wednesday, 30 November, LastPass CEO, Karim Toubba, confirmed that an unauthorized party had gained access to “certain elements of our customers’ information” within a third-party cloud storage service. The data breach was, Toubba stated, made possible using information obtained from a previous hacking incident in August this year. At that time, Toubba said that portions of source code and some proprietary LastPass technical information had been accessed. It is not clear, however, what specific information enabled the threat actor to gain access to the cloud storage service in the latest breach.
“Given the vast amount of passwords it protects globally, LastPass remains a big target,” Yoav Iellin, a senior researcher at Silverfort, says. “The company has admitted the threat actor gained access using information obtained in the previous compromise. Exactly what this information is remains unclear, but typically, it’s best practice after suffering a breach for the organization to generate new access keys and replace other compromised credentials. This ensures things like cloud storage and backup access keys cannot be reused.”