- The aftermath from an August breach at LastPass has spread, compromising customer data, the password manager said in a Wednesday notice.
- “We recently detected unusual activity within a third-party cloud storage service,” CEO Karim Toubba said in a blog post. “We have determined that an unauthorized party, using information obtained in the August 2022 incident, was able to gain access to certain elements of our customers’ information.”
- The company did not say when it discovered the subsequent breach, what type of customer information was exposed or how many customers are now potentially compromised. LastPass did not respond to a request for more information.
LastPass previously said no customer data or encrypted vaults were accessed in August, when an unauthorized actor breached its systems and stole portions of its source code and some proprietary technical information.
The company did not explain how data stolen in August was used to access customers’ data more than three months later. Mandiant is assisting with the investigation and law enforcement has been notified, according to LastPass.
Unusual activity that occurred in the company’s development system provides clues as to what went and continues to go wrong, according to Michael White, technical director and principal architect at Synopsys.
“Once compromised, access to a development or test system can give away the keys to the kingdom,” White said via email.
Such a breach can “allow an attacker lateral movement towards critical sensitive information, or permit an attacker to interfere in the software build process to introduce backdoors, which make their way into production,” White said.
If the root cause of this subsequent breach is determined to be a compromised development system, Sunburst, the same attack vector that hit SolarWinds, could be at fault, according to White. Sunburst is a supply chain attack that plants a backdoor in a breached system to indirectly target downstream organizations.
LastPass is used by more than 33 million registered users and more than 100,000 business customers.
Despite the breach, LastPass is fully operational and “customers’ passwords remain safely encrypted,” Toubba said.