CEO of popular encrypted password manager LastPass, Karim Toubba, has admitted the company is investigating a security incident after its systems were compromised for the second time in 2022.
The company reportedly detected unusual activity within a third-party cloud storage service. It is currently shared by both LastPass and its affiliate, GoTo.
“We immediately launched an investigation, engaged Mandiant, a leading security firm, and alerted law enforcement,” Toubba explained in a statement regarding the incident.
The previous security breach in August this year allowed cybercriminals internal access to the company’s systems for four days until they were detected and evicted. That is a big deal if you’re a company whose customers depend on you to securely store their precious passwords.
Toubba said that an unauthorized party, using information obtained in the August 2022 breach, was again able to gain access to certain elements of “customers’ information”.
“Our customers’ passwords remain safely encrypted due to LastPass’s Zero Knowledge architecture,” assured Toubba. “We are working diligently to understand the scope of the incident and identify what specific information has been accessed. In the meantime, we can confirm that LastPass products and services remain fully functional.”
LastPass is a freemium password manager that stores customers’ encrypted passwords on the cloud. The company does not have any access to the master passwords of its clients’ vaults.
“Without the master password, it is not possible for anyone other than the owner of a vault to decrypt vault data as part of our Zero Knowledge security model,” according to the LastPass.
Toubba assures worried users that the company continues to deploy enhanced security measures and monitoring capabilities across its infrastructure to aid in recognizing and preventing further threat actor activity.