LastPass Discloses Another Security Breach

The company says unauthorized parties accessed "certain elements of our customers' information" but not passwords.

Andrew Blok Editor I
Andrew Blok is a former editor for CNET who covered home energy, with a focus on solar. As an environmental journalist, he navigates the changing energy landscape to help people make smart energy decisions. He's a graduate of the Knight Center for Environmental Journalism at Michigan State and has written for several publications in the Great Lakes region, including Great Lakes Now and Environmental Health News, since 2019. You can find him in western Michigan watching birds.
Expertise Solar providers and portable solar power; coffee makers, grinders and products Credentials
  • Master's degree in environmental journalism
Andrew Blok
Sarah Tew/CNET

Password manager LastPass has had another security breach, stemming directly from one that occurred in August, the company said Wednesday. 

"An unauthorized party, using information obtained in the August 2022 incident, was able to gain access to certain elements of our customers' information," LastPass CEO Karim Toubba wrote in a blog post. "Our customers' passwords remain safely encrypted due to LastPass's Zero Knowledge architecture."

LastPass is designed to let people securely generate and save passwords across their devices, store digital records, and share both with trusted contacts. LastPass' zero knowledge model is meant to give only the customer, and not LastPass, access to an account's master password.

The company's services are fully functional, Toubba said. LastPass is working with an outside security firm to determine the scope of the breach and exactly what information was accessed, the company said.

The breach was identified in a cloud storage service shared by LastPass affiliate GoTo, which acknowledged the same breach on Wednesday.