Password-management firm LastPass has suffered a second security incident this year. In August, Hackread reported an intrusion into the company’s development environment due to a compromised developer account.
This time, the company’s affiliate GoTo has become a victim of a breach in which unidentified attackers targeted their shared cloud-storage service.
Breach Details
GoTo is a renowned company known for its desktop-sharing and virtual meeting software. On Wednesday, LastPass’s CEO Karim Toubba issued a security advisory revealing that they detected unusual activity on its cloud storage shared with GoTo and immediately started an investigation after hiring Mandiant and notifying relevant law enforcement authorities.
Independent security researcher Brian Krebs tweeted GoTo’s response, explaining that GoTo Meeting is investigating the “security incident” and that the unusual activity was detected in its 3rd party cloud storage service and development ecosystem.
GoTo’s Notification
On Wednesday, Boston-based GoTo’s chief executive Paddy Srinivasan shared a post but didn’t mention that an unauthorized party accessed any customer data. Srinivasan did note that they were investigating the security incident and trying to “better understand the scope of the issue.”
He also confirmed roping in Mandiant and notifying law enforcement about the breach. Srinivasan stated that both GoTo and LastPass share the 3rd party cloud storage service. However, neither LastPass nor GoTo mentioned the name of that 3rd part service in their respective notices.
“GoTo’s products and services remain fully functional. As part of our efforts, we also continue to deploy enhanced security measures and monitoring capabilities across our infrastructure to help detect and prevent threat actor activity,” Srinivasan added.
LastPass’s Analysis
In its blog post, LastPass stated that an “unauthorized party” accessed the cloud storage service using information from the earlier security breach incident in August 2022. Armed with data required to access various elements of their customer data, the attackers could invade the system. However, customers’ passwords are safely encrypted as the company uses the Zero-Knowledge framework to save confidential data.
“We are working diligently to understand the scope of the incident and identify what specific information has been accessed,” Toubba said.
He confirmed that the company’s products and services are fully operational, but customers should be cautious and follow LastPass’ setup and configuration-related best practices.