

In an increasingly-digital world, they can unlock our personal correspondence, our health data, and our financial records. These credentials are the keys to every element of our online identity. It's an organization whose mission statement is closely tied to managing extremely sensitive user data - passwords. LastPass is not just another software company. The attacker used this vulnerability to gain access to cloud backups – and to access a shocking amount of the most sensitive data imaginable. A DevOps engineer was specifically targeted by the attacker, who exploited a third-party software vulnerability on the employee's home computer, along with information stolen in the first breach.

Unfortunately, this was not the case in the second incident, which occurred shortly thereafter (and only discovered at the end of February). However, LastPass announced at the time that customer data wasn’t compromised. In the first incident, some proprietary data was stolen – including development and source code repositories, internal scripts, and documentation.
#LASTPASS SECURITY CHALLENGE GONE FULL#
You can find the full details elsewhere (such as in this Ars Technica story or in the LastPass blog), but to recap: LastPass suffered from two data breach incidents in August 2022. Since December, the company has been embroiled in what’s shaping up to be a major data security scandal. For many LastPass employees – from software engineers to C-level executives – the last few months have been hell.
