LastPass CEO Karim Toubba says an “unauthorized party” recently gained access to some customers’ information, but all passwords are secure.
GoTo, maker of the popular virtual meeting and desktop sharing software, and its affiliate LastPass confirmed Wednesday that their shared cloud storage service has been hit by unknown hackers.
In a post WednesdayLastPass CEO Karim Toubba said his password management company recently “detected unusual activity” within its third-party cloud storage service and immediately launched an investigation, which included hiring security firm Mandiant and alerting law enforcement.
“We have determined that an unauthorized party, using information obtained in (an) incident in August 2022, gained access to certain elements of our customers’ information,” he said. “Our customers’ passwords remain securely encrypted thanks to LastPass’ Zero Knowledge architecture.”
[RELATED STORY: LastPass Says Hackers Took ‘Portions Of Source Code’]
The name of the third-party cloud storage servicer has not been disclosed.
In a separate post WednesdayGoTo CEO Paddy Srinivasan made no mention of an unauthorized party gaining access to some customers’ information.
Addressing GoTo customers, Srinivasan said his company was “investigating a security incident” and that “we are currently working to better understand the scope of the problem.”
Like LastPass, Srinivasan said Boston-based GoTo called in Mandiant and informed law enforcement about the incident.
“Based on the investigation to date, we have detected unusual activity within our development environment and third-party cloud storage service. The third-party cloud storage service is currently shared by both GoTo and its affiliate, LastPass.”
Srinivasan added: “GoTo’s products and services remain fully functional. As part of our efforts, we also continue to deploy enhanced security controls and monitoring capabilities across our infrastructure to help detect and prevent threat actor activity.
As for LastPass, Toubba said in his post that the investigation into the breach is ongoing.
“We are working hard to understand the scope of the incident and identify what specific information was accessed,” he said.
“In the meantime, we can confirm that LastPass products and services remain fully functional. As always, we recommend that you follow our best practices for setting up and configuring LastPass, which you can find here here.”
It was the second security incident published by LastPass this yearfollowing an August break-in that breached the company’s “developer environment via a compromised developer account.”
Information stolen during the summer incident was used in the most recent incident, LastPass confirmed Wednesday.
In 2015, GoTo, then known as LogMeIn, acquired LastPass. Last year, GoTo announced it planned to spin off LastPass into a separate company.
[7:08 PM] Jay Fitzgerald
A GoTo representative referred CRN questions to his blog announcement. A LastPass representative could not be reached for comment.
A GoTo spokeswoman said the company expects the LastPass spinoff to take place in 2023.