LastPass CEO Karim Toubba has revealed that the password manager has been breached again. Toubba said the company detected an unusual activity within a third-party cloud storage service that it shares with its parent company GoTo, which was formerly known as LogMeIn. To investigate the incident, LastPass has teamed up with security firm Mandiant. Together, they've determined that the unauthorized party got into LastPass' cloud service by using information obtained from the security breach it suffered in August this year. Further, they've discovered that the bad actor was able to access "certain elements" of its customers' information.
If you'll recall, LastPass was hacked back in August, and Toubba admitted after an investigation that the unauthorized party had internal access to its systems for four days. The hacker was able to steal some of the password manager's source code and technical information, but LastPass said customers' data and encrypted password vaults remained untouched. Apparently, the hacker's access was limited to the service's development environment. While the unauthorized party was able to access some user information this time, LastPass said customers' passwords remain safely encrypted.
In an announcement of its own, remote work and collaboration tools provider GoTo has admitted that bad actors gained entry into its development environment. Like LastPass, the company has assured customers that its products and services are fully functional despite the breach. The password manager and its parent company are still investigating the incident to understand its scope, so we'll likely hear more details in the coming months.