LastPass data breach overview:
- Who: LastPass has announced it has suffered another data breach, the second in three months.
- Why: The company said the breach came out of information stolen in an earlier attack in August.
- Where: LastPass is headquartered in the United States.
Data stolen by hackers in an August attack of password management company LastPass has led to a second, more recent data breach, the company has announced.
In August, LastPass announced it had been hacked, with portions of source code and technical information stolen in the data breach.
After initiating an investigation, the company found an unauthorized party had gained access to parts of the LastPass development environment through a single compromised developer account.
On Nov. 30, LastPass CEO Karim Toubba issued another statement, announcing that the company has experienced another security incident.
LastPass said it “recently” detected unusual activity within a third-party cloud storage service, which is shared by both LastPass and its affiliate, GoTo.
“We have determined that an unauthorized party, using information obtained in the August 2022 incident, was able to gain access to certain elements of our customers’ information. Our customers’ passwords remain safely encrypted due to LastPass’s Zero Knowledge architecture,” the company said.
“We are working diligently to understand the scope of the incident and identify what specific information has been accessed. In the meantime, we can confirm that LastPass products and services remain fully functional.”
LastPass has engaged security firm to tackle data breaches
LastPass said it immediately launched an investigation, engaged “leading security firm” Mandiant and alerted law enforcement after the most recent breach.
It recommended that customers “follow our best practices around setup and configuration of LastPass,” which can be found here.
“As part of our efforts, we continue to deploy enhanced security measures and monitoring capabilities across our infrastructure to help detect and prevent further threat actor activity,” the statement said.
LastPass is not currently facing legal action over the breach, but Top Class Actions follows data breaches closely as they sometimes end in class action lawsuits.
In August, a settlement was reached between online retail giant cbdMD Inc. and customers who claim the company’s negligence resulted in two data breaches of its website in spring 2020.
Data breaches have become increasingly expensive and irritating to organizations all over the world, according to a new IBM study.
The average cost to clean up the mess of a data breach has reached an all-time high of $4.35 million, an increase of 13% from two years ago.
What do you think of the two LastPass data breaches? Let us know in the comments!
Don’t Miss Out!
Check out our list of Class Action Lawsuits and Class Action Settlements you may qualify to join!
Read About More Class Action Lawsuits & Class Action Settlements:
NEC lawsuit: Families take action against Enfamil and Similac baby formula makers
September 10, 2025 | Legal News
5 thoughts onLastPass suffers second data breach in 3 months
I’m a Last Pass subscriber, and I’ve been subject to at least two breaches I’m aware of, one of which may be responsible for the fraudulent charges appearing on my Visa credit card.
I was also breached please add me to sign up
I have not received a notice. My accounts have been breached
You should have a reasonable expectation this was unsafe. Google wouldn’t allow the Extension after I signed up, now I’m glad. Last Pass still wanted to charge me. Look forward to joining a Top Class action!
I was sent an email from them stating that my information was compromised. So what do I do now?