World’s biggest password manager suffers data breach

Password manager LastPass has suffered another data breach where an unauthorised party gained access to customer information, the company revealed in a blog post.

LastPass says it detected unusual activity on a third-party cloud storage service, adding that it has alerted law enforcement and is investigating the breach.

LastPass and its affiliate GoTo share the cloud storage service.

The company said its customers’ passwords remain encrypted because of LastPass’s Zero Knowledge architecture.

“We are working diligently to understand the scope of the incident and identify what specific information has been accessed,” it said.

“In the meantime, we can confirm that LastPass products and services remain fully functional.”

LastPass has determined that the unauthorised party accessed its customers’ information using information acquired during an earlier data breach in August 2022.

At the time, an unauthorised party gained access to LastPass’s developer environment — the software its employees use to build and maintain the platform.

After breaking into the password manager’s systems, they managed to steal source code and proprietary information.

The company said the adversaries gained access through a single compromised developer’s account.

In September 2022, LastPass revealed that the perpetrator had access to its systems for four days, adding that its password vaults remained untouched.

Now read: Attackers exploit trending TikTok challenge to spread malware

Subscribe to our daily newsletter

World’s biggest password manager suffers data breach