Skip to main content

LastPass' latest data breach exposed some customer information

LastPass' latest data breach exposed some customer information


CEO Karim Toubba says hackers didn’t gain access to users’ stored passwords, but disclosed this breach happened using information taken back in August.

Share this story

If you buy something from a Verge link, Vox Media may earn a commission. See our ethics statement.

Illustration of a computer screen with a blue exclamation point on it and an error box.
Photo by Amelia Holowaty Krales / The Verge

LastPass has experienced another data breach, but this time, it exposed user data. According to a post from LastPass CEO Karim Toubba, hackers accessed a third-party cloud storage service used by the password manager and were able to “gain access to certain elements” of “customers’ information.”

It’s still not clear what information hackers got access to or how many customers were affected, but Toubba says that users’ passwords weren’t compromised.

“Our customers’ passwords remain safely encrypted due to LastPass’s Zero Knowledge architecture,” Toubba writes, citing the company’s policy that means only the user knows their master password, with encryption that occurs only at the device level and not server-side.

This comes just months after LastPass confirmed that hackers had stolen some of its source code in August and had access to LastPass’ internal systems for four days before getting detected. It looks like this new attack is connected, as Loubba says it determined that hackers gained access to user data “using information obtained in the August 2022 incident.”

“We are working diligently to understand the scope of the incident and identify what specific information has been accessed,” Toubba says, adding that the service remains “fully functional” despite the breach. The company has launched an investigation into what went wrong and said it has also notified law enforcement.