The popular password manager is hacked again, and there is nothing users could do about it.
Karim Toubba, the CEO of LastPass, admitted in a blog post that his company is investigating a security incident after its systems were compromised for the second time this 2022.
The company detected unusual activity within a third-party cloud storage service, which is shared by both LastPass and its affiliate, GoTo.
He said that an unauthorized party used the information obtained in the August 2022 incident to regain access to certain elements of "our customers' information".
"We immediately launched an investigation, engaged Mandiant, a leading security firm, and alerted law enforcement," Toubba said in a statement.
Fortunately, no password is leaked.
"Our customers' passwords remain safely encrypted due to LastPass's Zero Knowledge architecture," said the CEO.
It all began when LastPass was hacked in August 2022.
At that time, hackers managed to gain access to LastPass's system, and had internal access for at least four days until they were detected and evicted.
The incident didn't compromise users' Master Password, because LastPass claimed that it never store or have knowledge of users' Master Password.
"We utilize an industry standard Zero Knowledge architecture that ensures LastPass can never know or gain access to our customers’ Master Password," the company said at the time,
While it may seem to end users, that the hack didn't cause too much damage, they were wrong.
This is because the hackers who bypassed LastPass security measures, managed to steal some of the software's source code, as well as some proprietary LastPass technical information.
And apparently, the hackers use the information they obtained from the hack, to breach LastPass again for the second time.
"We are working diligently to understand the scope of the incident and identify what specific information has been accessed. In the meantime, we can confirm that LastPass products and services remain fully functional," Toubba said.
We recently detected unusual activity within a third-party cloud storage service, which is currently shared by both LastPass and its affiliate GoTo. Customer passwords remain safely encrypted due to LastPass’s Zero Knowledge architecture. More info: https://t.co/xk2vKa7icq pic.twitter.com/ynuGVwiZcK
— LastPass (@LastPass) November 30, 2022
While LastPass didn't name the third-party cloud service, it's worth noting that back in 2020, a blog post by Amazon Web Services cited LogMeIn (later rebranded to GoTo) transitioned of its billion customer records to Amazon’s cloud.
LastPass is one of several password managers in the market that aims to reduce the reuse of passwords online, by storing them in a single app.
It also makes it easier for users to generate strong passwords as required.
This hack may not affect users directly, since only customer data is stolen, and not their passwords.
But regardless, LastPass did not say what specifically that information was.
Toubba only said that the company would put in place more security measures and monitoring to detect any more threat actor activity.