Hackers used information gleaned from the August hack of password management provider LastPass to compromise the company again, its CEO has admitted.
“We have determined that an unauthorized party is accessing the information Received in the event of August 2022, was able to gain access to certain elements of our customers’ information,” Karim Touba said in a statement Wednesday.
The discovery, Toubba said, came after the company rUnusual activity has recently been detected within the third-party cloud storage service, which is currently shared by both LastPass and its partner, go for,
He said that customers’ passwords are securely encrypted.
“We are working diligently to understand the scope of the incident and to identify what specific information was obtained. In the meantime, we can confirm that LastPass’ products and services are fully functional. As such, we recommend that you follow our best practices regarding the setup and configuration of LastPass, which can be found at Here,
Tubba said that as part of its efforts, LastPass continues to deploy advanced security measures and monitoring capabilities across its infrastructure to help detect and prevent future threat activity.
Yoav Illin, a senior researcher at Silverfort, said LastPass remains a major target given the large number of passwords it protects globally.
While LastPass acknowledged that the threat actor gained access using information obtained in a previous settlement, exactly what information is unclear, he said. Generally, Illin said, it’s a best practice after a breach for an organization to generate new access keys and ensure things like cloud storage and backup access keys replace other compromised credentials.
LastPass subscribers should watch for the updates, and verify they are legitimate before taking any action. If they haven’t already done so, they should change passwords and enable two-factor authentication on any applications that have passwords in LastPass, he also said.
In the August incident, some of the company’s source code was stolen after one of its developer accounts was hacked.
The company says it has 100,000 business customers, as well as individual users. Combined, this counts 33 million registered users, with a “significant majority” represented by corporate customers.