Major password manager LastPass suffered a breach — again

In this photo illustration, the LastPass logo is reflected on the internal discs of a hard drive in 2017 in London. On Wednesday, the password service reported "unusual activity" within a third-party cloud storage service but said that customers' passwords remain safely encrypted. Photo by Leon Neal - Getty Images

LastPass, a major password manager, says it has suffered its second breach in three months by the same unauthorized party.

LastPass CEO Karim Toubba announced Wednesday that the company detected "unusual activity" within a third-party cloud storage service but that customers' passwords remain safely encrypted.

"We immediately launched an investigation, engaged Mandiant, a leading security firm, and alerted law enforcement," Toubba wrote in a statement.

An unauthorized party gained access to parts of the LastPass development environment during a four-day period in August. There was no evidence of access to customer data, Toubba wrote after this first breach, noting that the development environment does not contain any customer data.

Three months later, the same party used the information it gained in August to access "certain elements" of customers' information, Toubba said.

Toubba maintains that passwords are safely encrypted despite the recent breach.

"We are working diligently to understand the scope of the incident and identify what specific information has been accessed," Toubba said. "In the meantime, we can confirm that LastPass products and services remain fully functional."

Still, the company recommended that its users "follow our best practices around setup and configuration," including setting up multi-factor authentication.

Wired named LastPass one of its honorable mentions for password managers this year. Previously, it was the tech publication's favorite free option before LastPass changed its free plan to limit users to a single device.

"Lastpass' paid plan offers most of the same features you'll find in our other top picks, though it lacks the travel features of 1Password and isn't open source like BitWarden," Wired wrote. "We just don't see any reason to suggest it over our top picks, and it was recently hacked."

Copyright 2024 NPR