LastPass says it was breached — again • TechCrunch

Password manager LassPass said it is investigating a security incident after its systems were compromised for the second time this year.

said LastPass CEO Karim Toubba in a blog post that an “unauthorized party” recently gained access to some customer information stored on a third-party cloud service shared by LastPass and its parent company, GoTo. Toubba said the unauthorized party used information stolen from LastPass’s systems in August, which the company disclosed at the time.

Toubba did not say what specific customer information was obtained, but said it was working to “understand the scope of the incident and identify what specific information was accessed.”

GoTo, formerly LogMeInwhich bought LastPass in 2015, said in an equally vague statement that he was investigating the incident. It is not yet clear whether both LogMeIn and GoTo customers were affected by the breach.

LastPass said in August that an unauthorized party “gained access to parts of the LastPass development environment through a single compromised developer account and obtained portions of the source code and some LastPass proprietary technical information.” LastPass said its system design and controls “prevented the threat actor from accessing any customer data or encrypted password vaults.”

Toubba added in Wednesday’s blog post that “customer passwords remain securely encrypted.”

GoTo spokeswoman Elizabeth Bassler declined to comment beyond the LastPass blog post.

If you know more about the LastPass and GoTo breach, contact Signal at +1 646.755.8849 or via SecureDrop.