LastPass has hired Mandiant to investigate a security incident, and customer passwords "remain safely encrypted," according to LastPass CEO Karim Toubba.LastPass, based in Boston, Massachusetts, spun out from GoTo (formerly LogMeIn) less than a year ago. More than 33 million people use the LastPass password management platform, and the installed base spans more than 100,000 business accounts, according to the company's Website. LastPass also has an MSP partner program.LastPass first disclosed this particular security incident on August 25, 2022. Two status updates -- on September 15 and November 30, 2022 -- have since surfaced."Recently detected unusual activity within a third-party cloud storage service, which is currently shared by both LastPass and its affiliate, GoTo." "Immediately launched an investigation, engaged Mandiant, a leading security firm, and alerted law enforcement." "Determined that an unauthorized party, using information obtained in the August 2022 incident, was able to gain access to certain elements of our customers’ information." "Our customers’ passwords remain safely encrypted due to LastPass's Zero Knowledge architecture." LastPass is still working to "understand the scope of the incident and identify what specific information has been accessed." In the meantime, the company's products and services remain "fully functional," Toubba said.LastPass did not disclose the nature or length of Mandiant's incident investigation services for the company. Google acquired Mandiant for $5.4 billion in September 2022.
Breach, Content
LastPass Hires Mandiant To Investigate Security Incident; Customer Passwords Safe
Closeup Password input box in internet browser on computer screen
Joe Panettieri
Joe Panettieri is co-founder & editorial director of MSSP Alert and ChannelE2E, the two leading news & analysis sites for managed service providers in the cybersecurity market.
Related Terms
Attack VectorYou can skip this ad in 5 seconds