IOTW: Passwords secure in latest LastPass data breach

A hacker accessed LastPass’ third-party cloud storage but was unable to obtain customer passwords

Add bookmark
Olivia Powell
Olivia Powell
12/01/2022

Passwords secure in latest LastPass data breach

Password manager LastPass has continued to maintain the security of its customers’ passwords despite suffering its second data breach of 2022.

The breach was discovered on November 30 after LastPass detected “unusual activity” within a third-party cloud storage solution that it uses. Following its the detection, LastPass launched an investigation into the cyber security incident and alerted the authorities.

It was determined by the password management company that the malicious actor gained access to the cloud storage solution via data obtained in an earlier breach of the company on August 25 of this year.

The hacker was able to access “certain elements” of customer information, although no passwords were stolen during the cyber security incident. 
LastPass has not yet been able to confirm what data was accessed during the breach but the company has said it is “working diligently to understand the scope of the incident”. 

In the wake of the cyber attack, LastPass has said it will continue to “deploy enhanced security measures and monitoring capabilities” to detect further threats to its infrastructure.

What happened in the August data breach?

On August 25, LastPass suffered a data breach after an unauthorized third party gained access to its developer environment through a compromised developer account

The bad actor then took “some proprietary LastPass technical information” and “portions of source code”, although no passwords, master passwords or personal data or information were compromised during the breach.

Following an investigation, LastPass confirmed that the malicious actor had access to its developer environment for four days in August, during which their unauthorized activity was detected and contained. This activity did not involve the bad actor gaining access to encrypted password vaults of customer data. 


RECOMMENDED