Password manager LastPass is investigating an internal data breach. An unauthorized attacker recently gained access to customer data.

The organization disclosed the news in a statement. Details are scarce. LastPass did not confirm whether or how much data was captured. The organization informed authorities and engaged security firm Mandiant. The signs point to a serious incident.

LastPass develops password management solutions. Companies and consumers use the software to generate and store passwords.

“We recently detected unusual activity within a third-party cloud storage service”, the organization said. Further investigation revealed that an attacker gained access to “certain elements of our customers’ information”, LastPass added.

LastPass did not specify the information in question. The organization emphasized that customer passwords are encrypted.

Hit twice

The attacker gained access to the cloud storage service with data stolen earlier this year. In August 2022, an attacker used a compromised developer account to exfiltrate data from LastPass.

At the time, the organization said that the attacker only had access to the company’s development environment. Customer data and passwords were said to be secure. “We want to assure you that your personal data and passwords are safe in our care”, LastPass said.

That statement didn’t age well. The organization has confirmed that the August incident enabled the most recent attack. This time, customer information definitely is at risk.

LastPass did not confirm the involvement of data theft, but the attacker undoubtedly had access. The investigation is ongoing. “We will continue to provide updates as we learn more”, LastPass said.

Tip: LastPass hackers had four days of access to internal systems