In August, LastPass said an unauthorized party had gained access to portions of the LastPass development environment through a single compromised developer account.
Now, the company has said that information taken in the August incident was used to gain access to "certain elements of our customers’ information".
It is unclear what customer information was compromised. But LastPass has reassured customers that their passwords were not accessed, remaining safely encrypted due to LastPass’s Zero Knowledge architecture. In a nutshell, this means that since your individual passwords are encrypted and locked behind a master password, that even LastPass does not know, no attacker could gain access to them.
LastPass says it discovered the breach after detecting unusual activity within a third-party cloud storage service shared by both LastPass and its affiliate, GoTo. GoTo, the company behind GoToMyPC (formerly known as LogMeIn), states about the incident that it detected unusual activity within its development environment and third-party cloud storage service.
What to do?
In response to the incident, LastPass deployed containment and mitigation measures, and engaged a leading cybersecurity and forensics firm. It has also alerted law enforcement.
If you haven’t done so already it is advisable to enable multi-factor authentication (MFA) on your LastPass accounts so that threat actors won't be able to access your account even if your password was compromised. The instructions to enable MFA can be found on the LastPass support pages.
We will keep you posted here if there are any updates to the story.
We don’t just report on threats—we remove them
Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.