Information that hackers got from an August hack of password management provider LastPass was used to compromise the company again, its CEO has acknowledged.
“We have determined that an unauthorized party, using information obtained in the August 2022 incident, was able to gain access to certain elements of our customers’ information,” Karim Toubba said in a statement Wednesday.
The discovery, Toubba said, came after the company recently detected unusual activity within a third-party cloud storage service, which is currently shared by both LastPass and its affiliate, GoTo.
Customers’ passwords remain safely encrypted, he added.
“We are working diligently to understand the scope of the incident and identify what specific information has been accessed. In the meantime, we can confirm that LastPass products and services remain fully functional. As always, we recommend that you follow our best practices around setup and configuration of LastPass, which can be found here.”
As part of its efforts, Toubba said, LastPass continues to deploy enhanced security measures and monitoring capabilities across its infrastructure to help detect and prevent further threat actor activity.
Given the vast number of passwords it protects globally, Lastpass remains a big target, said Yoav Iellin, a senior researcher at Silverfort.
While LastPass admitted the threat actor gained access using information obtained in the previous compromise, exactly what this information is remains unclear, he said. Typically, Iellin added, it’s best practice after suffering a breach for an organization to generate new access keys and replace other compromised credentials to ensure things like cloud storage and backup access keys cannot be reused.
LastPass subscribers should watch out for updates, and verify they are legitimate before taking any action. If they haven’t done so already, they should change the passwords and enable two-factor authentication on any applications with passwords in LastPass, he also said.
In the August incident, some of the company’s source code was stolen after one of its developer accounts was hacked.
The company says it has 100,000 business customers, as well as individual users. Combined, it counts 33 million registered users, with “the significant majority” represented by corporate customers.