Major password manager LastPass suffered a breach — again

View Summary

Raw Text

Technology

Facebook

Twitter

Flipboard

Email

December 1, 2022

12:27 PM ET

Ashley Ahn

In this photo illustration, the LastPass logo is reflected on the internal discs of a hard drive in 2017 in London. On Wednesday, the password service reported "unusual activity" within a third-party cloud storage service but said that customers' passwords remain safely encrypted. Leon Neal/Getty Images hide caption

Leon Neal/Getty Images

In this photo illustration, the LastPass logo is reflected on the internal discs of a hard drive in 2017 in London. On Wednesday, the password service reported "unusual activity" within a third-party cloud storage service but said that customers' passwords remain safely encrypted.

Leon Neal/Getty Images

LastPass, a major password manager, says it has suffered its second breach in three months by the same unauthorized party.

LastPass CEO Karim Toubba announced Wednesday that the company detected "unusual activity" within a third-party cloud storage service but that customers' passwords remain safely encrypted.

"We immediately launched an investigation, engaged Mandiant, a leading security firm, and alerted law enforcement," Toubba wrote in a statement.

Life Kit

Your Technology Is Tracking You. Take These Steps For Better Online Privacy

An unauthorized party gained access to parts of the LastPass development environment during a four-day period in August. There was no evidence of access to customer data, Toubba wrote after this first breach, noting that the development environment does not contain any customer data.

Three months later, the same party used the information it gained in August to access "certain elements" of customers' information, Toubba said.

Toubba maintains that passwords are safely encrypted despite the recent breach.

"We are working diligently to understand the scope of the incident and identify what specific information has been accessed," Toubba said. "In the meantime, we can confirm that LastPass products and services remain fully functional."

Still, the company recommended that its users "follow our best practices around setup and configuration," including setting up multi-factor authentication.

Business

A former employee accuses Twitter of big security lapses in a whistleblower complaint

Wired named LastPass one of its honorable mentions for password managers this year. Previously, it was the tech publication's favorite free option before LastPass changed its free plan to limit users to a single device.

"Lastpass' paid plan offers most of the same features you'll find in our other top picks, though it lacks the travel features of 1Password and isn't open source like BitWarden," Wired wrote. "We just don't see any reason to suggest it over our top picks, and it was recently hacked."

passwords

Facebook

Twitter

Flipboard

Email

Single Line Text

Technology. Facebook. Twitter. Flipboard. Email. December 1, 2022. 12:27 PM ET. Ashley Ahn. In this photo illustration, the LastPass logo is reflected on the internal discs of a hard drive in 2017 in London. On Wednesday, the password service reported "unusual activity" within a third-party cloud storage service but said that customers' passwords remain safely encrypted. Leon Neal/Getty Images hide caption. Leon Neal/Getty Images. In this photo illustration, the LastPass logo is reflected on the internal discs of a hard drive in 2017 in London. On Wednesday, the password service reported "unusual activity" within a third-party cloud storage service but said that customers' passwords remain safely encrypted. Leon Neal/Getty Images. LastPass, a major password manager, says it has suffered its second breach in three months by the same unauthorized party. LastPass CEO Karim Toubba announced Wednesday that the company detected "unusual activity" within a third-party cloud storage service but that customers' passwords remain safely encrypted. "We immediately launched an investigation, engaged Mandiant, a leading security firm, and alerted law enforcement," Toubba wrote in a statement. Life Kit. Your Technology Is Tracking You. Take These Steps For Better Online Privacy. An unauthorized party gained access to parts of the LastPass development environment during a four-day period in August. There was no evidence of access to customer data, Toubba wrote after this first breach, noting that the development environment does not contain any customer data. Three months later, the same party used the information it gained in August to access "certain elements" of customers' information, Toubba said. Toubba maintains that passwords are safely encrypted despite the recent breach. "We are working diligently to understand the scope of the incident and identify what specific information has been accessed," Toubba said. "In the meantime, we can confirm that LastPass products and services remain fully functional." Still, the company recommended that its users "follow our best practices around setup and configuration," including setting up multi-factor authentication. Business. A former employee accuses Twitter of big security lapses in a whistleblower complaint. Wired named LastPass one of its honorable mentions for password managers this year. Previously, it was the tech publication's favorite free option before LastPass changed its free plan to limit users to a single device. "Lastpass' paid plan offers most of the same features you'll find in our other top picks, though it lacks the travel features of 1Password and isn't open source like BitWarden," Wired wrote. "We just don't see any reason to suggest it over our top picks, and it was recently hacked." passwords. Facebook. Twitter. Flipboard. Email.