LastPass security incident
GoTo and LastPass, affiliated entities, have issued official statements informing of a security breach in their systems. Unauthorised access has been detected, using information obtained in another incident that took place in August 2022, which allowed access to certain elements of their customer data.
Additionally, GoTo and LastPass have initiated an investigation to understand the scope of the incident and identify what specific information was accessed, with LastPass confirming that products and services remain fully functional.
[Update 27/12/2022] LastPass has updated information on this incident, clarifying that the attackers managed to get their hands on user password vaults, allowing the attackers to extract information from a backup that contained customer information and related metadata, such as company names, end users, billing addresses, email addresses, phone numbers and IP addresses, although this data is encrypted with 256-bit AES.
References:
- 30/11/2022 goto.com Our response to a recent security incident
- 30/11/2022 blog.lastpass.com [Update 27/12/2022] Notice of Recent Security Incident
- 30/11/2022 bleepingcomputer.com GoTo says hackers breached its dev environment, cloud storage
- 01/12/2022 techcrunch.com LastPass says it was breached - again
- 01/12/2022 hipertextual.com LastPass confirma otra brecha de seguridad: cambia tu contraseña inmediatamente
- 25/08/2022 incibe-cert.es LastPass security breach