In November 2022, GoTo (formerly LogMeIn) disclosed a security breach of their development environment and a cloud storage service used by them and LastPass (their affiliate).
August ‘22 Incident
The investigation determined that the threat actor gained access to the development environment using a developer’s compromised endpoint. While the method used for the initial endpoint compromise is inconclusive, the threat actor utilized their persistent access to impersonate the developer once the developer had successfully authenticated using multi-factor authentication, and then gained access to LastPass source code.
During this timeframe, the LastPass security team detected the threat actor’s activity and then reportedly contained the incident.
November ‘22 Incident
In November 2022, GoTo (formerly LogMeIn) disclosed a security breach of their development environment and a shared cloud storage service used by them and LastPass (their affiliate), presumably as a result of the August ‘22 incident.
December ‘22 Incident
The threat actor accessed a cloud-based storage environment leveraging information obtained from the previous incident in August ‘22; they managed to compromise the workstation of another employee and exploited a Plex vulnerability. They installed a keylogger and obtained credentials and keys which were used to access and decrypt some storage volumes within the cloud-based storage service.