Popular password management service LastPass said it’s investigating a second security incident that involved attackers accessing some of its customer information.
“We recently detected unusual activity within a third-party cloud storage service, which is currently shared by both LastPass and its affiliate, GoTo,” LastPass CEO Karim Toubba said.
GoTo, formerly called LogMeIn, acquired LastPass in October 2015. In December 2021, the Boston-based firm announced plans to spin off LastPass as an independent company.
The digital break-in resulted in the unauthorized third-party leveraging information obtained following a previous breach in August 2022 to access “certain elements of our customers’ information.”
The August 2022 security event targeted its development environment, leading to the theft of some of its source code and technical information. In September, LastPass revealed the threat actor had access for four days.
The scope of the breach remains unknown as yet, and it’s not clear if both LastPass and GoTo customers are impacted. However, users’ passwords weren’t compromised.
The company said it has engaged the services of Google-owned Mandiant and alerted law enforcement of the latest development. It also stated it’s working to identify what specific data was accessed.
Additionally, it emphasized that it’s continuing to deploy enhanced security measures and monitoring capabilities to help detect and prevent further threat actor activity.