On November 30, 2022, password manager LastPass informed customers of a cybersecurity incident following unusual activity within a third-party cloud storage service. While LastPass claims that users\u2019 passwords remain safely encrypted, it admitted that certain elements of customers\u2019 information have been exposed. The security incident was the latest to affect the service in recent times in the wake of unauthorized access to its development environment in August last year, serious vulnerabilities in 2017, a phishing attack in 2016, and a data breach in 2015.Here is a timeline of the most recent LastPass data breaches from August to present.[Editor's note: This article, originally published on January 11, 2023, will be updated as new information becomes available.]August 25, 2022:\u00a0LastPass detects "unauthorized" accessLastPass CEO Karim Toubba wrote to inform LastPass users that the company had detected unusual activity within portions of the LastPass development environment. \u201cWe have determined that an unauthorized party gained access to portions of the LastPass development environment through a single compromised developer account and took portions of source code and some proprietary LastPass technical information. Our products and services are operating normally.\u201dIn response to the incident, LastPass deployed containment and mitigation measures and engaged a cybersecurity and forensics firm, Toubba added. \u201cWhile our investigation is ongoing, we have achieved a state of containment, implemented additional enhanced security measures, and see no further evidence of unauthorized activity.\u201dSeptember 15, 2022: LastPass says no customer data or passwords compromisedLastPass announced that it had completed its investigation of the August breach and determined that the attacker did not access any customer data or password vaults. It also confirmed that the access point was a developer\u2019s compromised computer and that the attacker was in the system for a total of four days.November 30, 2022: LastPass notifies customers of new security incidentLastPass notified users of a new security incident that its team was investigating. \u201cWe recently detected unusual activity within a third-party cloud storage service, which is currently shared by both LastPass and its affiliate, GoTo. We immediately launched an investigation, engaged Mandiant, a leading security firm, and alerted law enforcement,\u201d Toubba wrote.The company determined that an unauthorized party, using information obtained in the August 2022 incident, was able to gain access to certain customers\u2019 information, Toubba said, while stating that passwords remained safely encrypted due to LastPass\u2019s Zero Knowledge architecture. \u201cWe are working diligently to understand the scope of the incident and identify what specific information has been accessed. In the meantime, we can confirm that LastPass products and services remain fully functional,\u201d he added. Users were advised to follow best practices around the setup and configuration of LastPass.December 1, 2022: Researcher urges LastPass customers to stay vigilantYoav Iellin, senior researcher at Silverfort, stated that given the vast number of passwords LastPass protects globally, it remains a big attack target. \u201cThe company has admitted the threat actor gained access using information obtained in the previous compromise. Exactly what this information is remains unclear, but typically it\u2019s best practice after suffering a breach for the organization to generate new access keys and replace other compromised credentials. This ensures things like cloud storage and backup access keys cannot be reused.\u201dIellin urged users to stay vigilant for updates from the company and to take time to verify these were legitimate before taking any action. \u201cIn addition, ensuring you have two-factor authentication on any applications with passwords in LastPass and changing passwords will provide the utmost level of security,\u201d Iellin added.December 22, 2022: LastPass confirms theft of source code and technical informationIn an update on the investigation, Toubba stated source code and technical information stolen from the LastPass development environment were used to target an employee and obtain credentials\/keys, which were used to access and decrypt some storage volumes within a cloud-based storage service. \u201cTo date, we have determined that once the cloud storage access key and dual storage container decryption keys were obtained, the threat actor copied information from backup that contained basic customer account information and related metadata including company names, end-user names, billing addresses, email addresses, telephone numbers, and the IP addresses from which customers were accessing the LastPass services,\u201d Toubba wrote.The threat actor was also able to copy a backup of customer vault data from the encrypted storage container, which is stored in a proprietary binary format that contains both unencrypted data, such as website URLs, as well as fully encrypted sensitive fields such as website usernames and passwords, secure notes, and form-filled data, he added. \u201cThere is no evidence that any unencrypted credit card data was accessed.\u201dToubba warned that the threat actor may attempt to use brute force to guess master passwords and decrypt the copies of vault data they took, but because of the hashing and encryption methods used by LastPass it would be extremely difficult to attempt to brute-force guess master passwords for those customers who follow its password best practices, he continued.\u201cThe threat actor may also target customers with phishing attacks, credential stuffing, or other brute-force attacks against online accounts associated with your LastPass vault.\u201d LastPass added additional logging and alerting capabilities to help detect any further unauthorized activity and is actively rotating all relevant credentials and certificates that may have been affected and supplementing existing endpoint security, Toubba stated. \u201cWe are also performing an exhaustive analysis of every account with signs of any suspicious activity within our cloud storage service, adding additional safeguards within this environment, and analyzing all data within this environment to ensure we understand what the threat actor accessed. This remains an ongoing investigation. We have notified law enforcement and relevant regulatory authorities of this incident out of an abundance of caution. In the meantime, our services are running normally, and we continue to operate in a state of heightened alert.\u201dJanuary 3, 2023: Anonymous plaintiff files class action lawsuit against LastPassAn anonymous plaintiff filed a class action lawsuit against LastPass relating to the data breaches. \u201cThis is a class action for damages against Defendant for its failure to exercise reasonable care in securing and safeguarding highly sensitive consumer data in connection with a massive, months-long data breach,\u201d the lawsuit read. Highly sensitive data was exposed, it continued, impacting potentially millions of LastPass users, resulting in the unauthorized public release and subsequent misuse of their names, end-user names, billing addresses, email addresses, telephone numbers, IP addresses from which customers were accessing the LastPass service, and customer vault data. The lawsuit claimed that LastPass\u2019 \u201cbest practices\u201d were woefully insufficient to protect its users\u2019 private information from compromise and misuse.January 23, 2023: LastPass parent GoTo CEO says attacker exfiltrated encrypted backupsIn an update on the ongoing investigation into the security incident, Paddy Srinivasan, CEO of LastPass parent company GoTo, stated that a threat actor exfiltrated encrypted backups from a third-party cloud storage service related to the following products: Central, Pro, join.me, Hamachi, and RemotelyAnywhere. \u201cWe also have evidence that a threat actor exfiltrated an encryption key for a portion of the encrypted backups. The affected information, which varies by product, may include account usernames, salted and hashed passwords, a portion of multi-factor authentication (MFA) settings, as well as some product settings and licensing information. In addition, while Rescue and GoToMyPC encrypted databases were not exfiltrated, MFA settings of a small subset of their customers were impacted,\u201d Srinivasan wrote.At the time of writing, Srinivasan claimed there was no evidence of exfiltration affecting any other GoTo products other than those referenced or any of GoTo\u2019s production systems. \u201cWe are contacting affected customers directly to provide additional information and recommend actionable steps for them to take to further secure their accounts,\u201d Srinivasan added. \u201cEven though all account passwords were salted and hashed in accordance with best practices, out of an abundance of caution, we will also reset the passwords of affected users and\/or reauthorize MFA settings where applicable. In addition, we are migrating their accounts onto an enhanced Identity Management Platform, which will provide additional security with more robust authentication and login-based security options.\u201dFebruary 27, 2023: LastPass reveals that one of its DevOps engineers was hackedA LastPass update on its second breach\u00a0confirmed that it was related to the initial incident that ended on August 12, 2022. The company claimed that the connection was not obvious because the attacker's tactics, techniques, and procedures (TTPs) and the indicators of compromies (IOCs) "were not consistent with those of the first [breach]."The second attack did make use of information exfiltrated during the initial incident: valid credentials of a senior DevOps engineer who had access to a shared cloud storage environment. This made it difficult to identify the attacker's activity as it appeared to be legitimate. AWS GuardDuty Alerts did notify LastPass of anomalous behavior\u00a0after the attacker to use cloud identity and access management roles for unauthorized activity.