LastPass security incident

Posted date 09/12/2022

GoTo and LastPass, affiliated entities, have issued official statements informing of a security breach in their systems. Unauthorised access has been detected, using information obtained in another incident that took place in August 2022, which allowed access to certain elements of their customer data.

Additionally, GoTo and LastPass have initiated an investigation to understand the scope of the incident and identify what specific information was accessed, with LastPass confirming that products and services remain fully functional.

[Update 27/12/2022] LastPass has updated information on this incident, clarifying that the attackers managed to get their hands on user password vaults, allowing the attackers to extract information from a backup that contained customer information and related metadata, such as company names, end users, billing addresses, email addresses, phone numbers and IP addresses, although this data is encrypted with 256-bit AES.