LastPass Breach Exposes Customer DataHackers Gained Access From Information Stolen in Previous Attack
Hackers obtained customer information but not passwords, password manager LastPass said in a Wednesday update to a cybersecurity incident first detected in August.
See Also: A Guide to Passwordless Anywhere
The access control specialist said an unauthorized party used information stolen during a dayslong incident in August to more recently break into its third-party cloud storage service.
The hacker "was able to gain access to certain elements of our customers' information," wrote LastPass CEO Karim Toubba in a blog post - without specifying which elements.
Passwords were unaffected, Toubba insisted. "Our customers' passwords remain safely encrypted due to LastPass's Zero Knowledge architecture." He also wrote that an investigation was launched immediately after the first incident, with outside assistance from Mandiant.
Mandiant also investigated the August security incident and determined that the threat actor had penetrated the LastPass development environment for four days. The hacker got in using a compromised endpoint (see: Hacker Accessed LastPass Internal System for 4 Days).
Once inside, the hacker impersonated the developer after the actual employee supplied multifactor authentication credentials.
The company says it has more than 33 million registered customers and serves more than 100,000 businesses. For obvious reasons, password managers are hacking magnets, but cybersecurity experts continue to recommend them as a solution to common security pitfalls such as weak or repeated passwords. A recent survey by Consumer Reports found that only 39% of consumers use a password manager.
Users who combine strong and unique passwords with multifactor authentication, especially in the form of a security key, make their accounts even more resistant to hacking, decreasing the potential fallout should the unthinkable occur and a password manager actually fully succumb to hackers.