The password manager LastPass has had another security breach, stemming directly from one that occurred in August.
“An unauthorized party, using information obtained in the August 2022 incident, was able to gain access to certain elements of our customers’ information,” LastPass CEO, Karim Toubba, wrote in a blog post Wednesday. “Our customers’ passwords remain safely encrypted due to LastPass’s Zero Knowledge architecture.”
LastPass’s zero knowledge model means that only the customer, not LastPass, has access to an account’s master password.
LastPass’s services are fully functional, Toubba said. The company is working with an outside security firm to determine the scope of the breach and exactly what information was accessed.
The breach was identified in a cloud storage service shared by LastPass’s affiliate GoTo, which acknowledged the same breach on Wednesday.
