While LastPass initially said it found no evidence that customer data was compromised during a data breach in August, the password management vendor confirmed that information stolen in the attack has now been used to access some customer information, though the scope remains unclear.
LastPass CEO Karim Toubba disclosed the initial data breach in late August, revealing that a single developer account had been compromised. Though source code and “some proprietary LastPass technical information” was stolen, Toubba said an investigation with incident response firm Mandiant determined that there was no evidence that customer data was affected.
However, an updated security incident statement Wednesday confirmed that fallout from the attack continues and might be concerning to customers.
“We have determined that an unauthorized party, using information obtained in the August 2022 incident, was able to gain access to certain elements of our customers’ information,” Toubba wrote in the update. “We are working diligently to understand the scope of the incident and identify what specific information has been accessed.”
LastPass said it engaged the services of Mandiant again and contacted law enforcement after detecting unusual activity within a third-party cloud storage service it shares with GoTo, formerly known as LogMeIn, which acquired LastPass in 2015.
The latest update from LastPass represents a marked change in the assessment of the August breach. In a September update after the initial investigation with Mandiant was completed, LastPass wrote: “Although the threat actor was able to access the development environment, our system design and controls prevented the threat actor from accessing any customer data or encrypted password vaults.”
Due to the findings, LastPass did not recommend any actions for customers to take regarding compromised data. The password management vendor also said it deployed additional endpoint security controls and monitoring following the August attack.
While LastPass said its services remain functional and customers’ passwords safely encrypted, it is unclear if that refers to all passwords or only master ones. It also remains unclear what customer information, or how much, the threat actor obtained in the most recent breach.