LastPass Confirms Breach of Customer Information in Hacking Incident

LastPass has announced that hackers acquired access to a third-party cloud storage solution that held customer information, though there was no compromise of user passwords. The hacking incident is associated with the data breach that happened in August 2022.

Last August, a hacker succeeded in breaching a developer account and accessing the LastPass developer system. Source code and exclusive technical data were stolen, but there was no compromise of user information, and password vaults stayed protected.

LastPass CEO Karim Toubba’s most recent announcement involved a different incident. Data stolen during the August breach enabled the hacker to access a third-party storage solution that LastPass and its affiliate GoTo (formerly LogMeIn) shared. GoTo released an identical breach notification in the last couple of days.

LastPass stated the two incidents were looked into immediately, with the help given by the cybersecurity company Mandiant. The breach investigation is still in progress, but access to some parts of the customer data has been confirmed. There is no public disclosure of the types of compromised data so far.

Password managers are normally targeted by hackers since they are used to save the whole collection of their customers’ passwords. LastPass is also targeted as one of the prominent password managers. The firm boasts of having 33 million registered users and serves over 100,000 companies. For safety reasons, password managers usually employ zero-knowledge architecture. This means that the password manager service doesn’t have access to the encrypted password vaults. Like the incident in the August data breach, Toubba emphasized that its clients’ passwords stayed secure and encrypted because of the Zero Knowledge architecture of LastPass.

Though hackers target password managers, they still offer better protection than not utilizing one, because they enable users to enhance their password practices, use unique, complex passwords for every account, and refrain from using one password on several platforms. Normally, it is necessary to set a very strong password for the master password to protect password vaults, and to implement 2-factor authentication.

LastPass published a Psychology of Passwords report stating that although more businesses provide security awareness training programs, it seems that poor password practices like reusing passwords are not eliminated. Survey respondents claimed they know the password risks yet still choose convenience over security and reuse passwords on several accounts and employ bad password practices. Passwordless authentication can resolve these password issues, but until such time that technology is integrated, password managers are the best option for bettering password security because they make it simpler to observe password best practices.