Click to Skip Ad
Closing in...

Password keeper app LastPass just got hacked again

Updated Jan 25th, 2023 1:31PM EST
LastPass app
Image: LastPass

If you buy through a BGR link, we may earn an affiliate commission, helping support our expert product labs.

If there’s an app that shouldn’t get hacked is the one you use to store your passwords and credentials. Unfortunately, LastPass seems to be having a bad year, as this is the second time the company has announced it has had a “security incident.” Here’s what you need to know.

In a blog post, LastPass CEO Karim Toubba said that the company recently detected “unusual activity within a third-party cloud storage service, which is currently shared by both LastPass and its affiliate, GoTo.”

It seems the hackers were able to use obtained information from the August “incident” to gain access to “certain elements” of LastPass users. That said, Toubba stated that customers’ passwords remain “safely encrypted due to the app’s Zero Knowledge architecture.”

We are working diligently to understand the scope of the incident and identify what specific information has been accessed. In the meantime, we can confirm that LastPass products and services remain fully functional. 

LastPass CEO says the company continues to “deploy enhanced security measures and monitoring capabilities across our infrastructure to help detect and prevent further threat actor activity.”

Background

LastPass got some source code and technical information taken in August. The company made an investigation and offered a report 20 days later, in September.

Our investigation determined that the threat actor gained access to the Development environment using a developer’s compromised endpoint. While the method used for the initial endpoint compromise is inconclusive, the threat actor utilized their persistent access to impersonate the developer once the developer had successfully authenticated using multi-factor authentication.  

Although the threat actor was able to access the Development environment, our system design and controls prevented the threat actor from accessing any customer data or encrypted password vaults.  

At that time, the CEO also said that none of the users’ information was hacked. You can learn more about it here.

More tech coverage: 1Password 8 now available to Apple Watch users, here’s how it works

José Adorno Tech News Reporter

José is a Tech News Reporter at BGR. He has previously covered Apple and iPhone news for 9to5Mac, and was a producer and web editor for Latin America broadcaster TV Globo. He is based out of Brazil.