In a statement released yesterday, LastPass CEO Karim Touba notified customers they detected unusual activity within a third-party cloud storage service, which is currently shared by both LastPass and its affiliate. Touba further explained threat actors managed to access customer data stored in the compromised storage service. LastPass believes the unauthorized party, used information obtained in an August 2022 incident to access customer data. LastPass said it hired security firm Mandiant to investigate the incident and notified law enforcement of the attack. Touba assured the public that customers’ passwords remain safely encrypted due to LastPass’s Zero Knowledge architecture.
Analyst Notes
LastPass reminded customers their master password should be extremely strong and unique, and should never be reused. Additionally, users should set up multi-factor authentication (MFA). MFA combines biometric and contextual factors to establish identity – something you know (a password), something you have (a mobile device), and something you are (a biometric). LastPass provided the following instructions to ensure customer accounts are set up properly and secured. https://blog.lastpass.com/2022/01/how-to-set-up-your-new-lastpass-account/
https://www.bleepingcomputer.com/news/security/lastpass-says-hackers-accessed-customer-data-in-new-breach/
