The 2022 LastPass data breach keeps getting worse and worse

Last year LastPass, the encrypted password-protecting app, released details of a data breach that affected both the company and customers. The details of this breach have trickled out over time, with some of the more disturbing info being held over until the world was on holiday.

As the late, great Billy Mays once said, ‘But wait, there’s more!’ The company that owns LastPass, GoTo, has confirmed that customer data was also hauled off during the hack. Some of that customer data is at risk.

Head ’em off at the LastPass

The company’s second hack of 2022 resulted in more extensive information being liberated than was first announced. According to an official statement, whoever jacked the company’s system “exfiltrated encrypted backups from a third-party cloud storage service.”  The data affected several services owned by GoTo, including products Central, Pro, join.me, Hamachi, and RemotelyAnywhere.

But wait, there’s more! Also included in the data stolen was “an encryption key for a portion of the encrypted backups”. That’s… not good.

The encryption key may have included “account usernames, salted and hashed passwords, a portion of Multi-Factor Authentication (MFA) settings, as well as some product settings and licensing information”.

So while your personal password database is still, more or less, safe, if you used any of the company’s other services, your information could well be at risk. Why GoTo didn’t just protect its encryption key info with LastPass will forever remain a mystery, we guess. [/sarcasm]

Source: via TechCrunch