Password management app LastPass said it was investigating a security incident that occurred after an “unauthorized party” breached its systems and gained access to some customer information on Wednesday. LastPass CEO Karim Tubba said in a blog post that the information is stored in a third-party cloud service shared by LastPass and parent company GoTo. Tubba said hackers used information stolen from LastPass systems in a separate previously disclosed incident that occurred in August of this year. Tubba added in a blog post that “customer passwords remain securely encrypted.”

We recently discovered unusual activity in a third-party cloud storage service currently used by both LastPass and its affiliate GoTo. We immediately launched an investigation, commissioned Mandiant, a leading security firm, and notified law enforcement.

We have determined that an unauthorized person using information obtained during the August 2022 incident has managed to gain access to certain elements of our customers’ information. Thanks to the LastPass Zero Knowledge architecture, our customers’ passwords remain securely encrypted.

According to a blog post dated August 22, in a previous incident, an attacker used a compromised developer endpoint to gain access to the LastPass Development environment to steal source code and some proprietary LastPass technical information. LastPass said at the time their system was “preventing the threat from accessing any customer data or encrypted password storage.”

LastPass is currently working to understand the extent of Wednesday’s incident and determine exactly what information was accessed. GoTo, formerly LogMeIn, said it was also investigating the incident, but did not say whether GoTo users were also affected by the attack. Meanwhile, LastPass products and services remain “fully functional,” Tubba said.