LastPass has experienced another data breach, but this time, it exposed user data. According to a post from LastPass CEO Karim Toubba, hackers accessed a third-party cloud storage service used by the password manager and were able to “gain access to certain elements” of “customers’ information.”
It’s still not clear what information hackers got access to or how many customers were affected, but Toubba says that users’ passwords weren’t compromised.
“Our customers’ passwords remain safely encrypted due to LastPass’s Zero Knowledge architecture,” Toubba writes, citing the company’s policy that means only the user knows their master password, with encryption that occurs only at the device level and not server-side.
“We are working diligently to understand the scope of the incident and identify what specific information has been accessed,” Toubba says, adding that the service remains “fully functional” despite the breach. The company has launched an investigation into what went wrong and said it has also notified law enforcement.