LastPass says it was breached — again

Password manager LastPass said it’s investigating a security incident after its systems were compromised for the second time this year.

LastPass chief executive Karim Toubba said in a blog post that an “unauthorized party” recently gained access to some customers’ information stored in a third-party cloud service shared by LastPass and its parent company, GoTo. Toubba said the unauthorized party used information stolen from LastPass’ systems in August, which the company disclosed at the time.

The third-party cloud service wasn’t named, but a 2020 blog post by Amazon Web Services cited the company’s transition of a billion customer records to Amazon’s cloud.

Toubba did not say what specific customer information was taken, but said it was working to “understand the scope of the incident and identify what specific information has been accessed.”

GoTo, formerly LogMeIn, which acquired LastPass in 2015, said in a similarly vague statement that it was investigating the incident. It’s not yet clear if both LogMeIn and GoTo customers are affected by the breach.

LastPass said in August that an unauthorized party “gained access to portions of the LastPass development environment through a single compromised developer account and took portions of source code and some proprietary LastPass technical information.” LastPass said that its system design and controls “prevented the threat actor from accessing any customer data or encrypted password vaults.”

Toubba added in the blog post Wednesday that “customers’ passwords remain safely encrypted.”

GoTo spokesperson Elizabeth Bassler declined to comment beyond LastPass’ blog post.

If you know more about LastPass and GoTo breach, get in touch via Signal at +1 646.755.8849 or via SecureDrop.