Cyber Incident Victim: LastPass
Date:
Nov 2022
Location:
United States of America
Summary
LastPass experienced a security breach where attackers exploited information stolen during an earlier incident to infiltrate a shared third-party cloud storage service, accessing certain customer data. The company confirmed that encrypted passwords remained secure due to its Zero Knowledge architecture, though other stored information was compromised. This marked the second breach within months, following a prior intrusion into its developer environment which resulted in stolen source code and proprietary technical information. LastPass engaged security firm Mandiant to investigate, notified law enforcement, and emphasized ongoing efforts to determine the full scope of impacted data.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 3 techniques |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
In late November 2022, LastPass disclosed a security breach involving unauthorized access to its third-party cloud storage service, shared with its affiliate GoTo. The company detected unusual activity within this environment and determined that threat actors leveraged information stolen during an earlier August 2022 incident to compromise the storage infrastructure. This allowed attackers to access certain elements of customer information stored in the service, though the specific scope of accessed data remained under investigation at the time of disclosure. LastPass emphasized that customers' password vaults remained protected by its Zero Knowledge architecture, meaning master passwords and encrypted vault data were not compromised directly through this breach. The company engaged cybersecurity firm Mandiant to assist with forensic analysis and notified law enforcement agencies about the intrusion. This incident marked the second breach disclosed by LastPass in 2022, following an August event where attackers infiltrated the company's developer environment.
The August 2022 breach occurred when threat actors compromised a LastPass developer account, gaining access to the company's internal systems for four days before being detected and evicted. During that intrusion, attackers exfiltrated portions of LastPass's source code and proprietary technical information, which they subsequently weaponized to facilitate the November cloud storage breach. LastPass confirmed the August incident through customer notifications after BleepingComputer inquired about potential unauthorized access, though initial communications did not disclose the full duration of attacker presence in their systems. While the November breach exploited credentials or methodologies obtained months earlier, LastPass maintained that password encryption mechanisms remained intact across both incidents. The company continued investigating the extent of customer data exposure in the cloud storage compromise while reiterating that vault encryption provided ongoing protection against credential theft despite the infrastructure breaches.