LastPass, maker of the popular password management solution, disclosed a security breach on the company blog.
According to the published information, LastPass noticed “unusual activity” about two weeks ago in the development environment. An investigation confirmed that “an unauthorized party” gained access to parts of the development environment of the company; this happened through a developer account that had been compromised.
The threat actor managed to obtain “portions of source code and some proprietary LastPass technical information”. Products and services were not affected, and user data was not in danger at any point, according to the announcement.
LastPass hired a “leading cybersecurity and forensics firm” to investigate the breach. Containment and mitigation measures were deployed immediately and the company states that it has contained the breach and implemented additional security measures. It has not seen evidence of further unauthorized activity in the development environment or elsewhere.
LastPass notes in an FAQ that user data has not been compromised. The company’s zero knowledge security model ensures that master passwords are secure, according to the company. LastPass recommends that users follow best practices, which includes using the company’s LastPass Authenticator application. The app adds a second layer of authentication to the verification process.
The August 2022 security breach is not the first such incident that LastPass disclosed. In 2015. LastPass was hacked. At that time, attackers managed to steal user data, including email addresses, password reminders, authentication hashes and other data was obtained.
In 2021, LastPass announced that it will become an independent company. Changes were announced to LastPass Free, the free plan of the password management service, that made some users migrate to other password management solutions, including Bitwarden and KeePass.
LastPass fails to disclose additional details on the breach. Can the downloaded data be used to devise further attacks against the company or its users?
Users of the service, and any other online password management solution, should follow best practices to secure their accounts. One of the best options includes implementing two-factor authentication. Depending on the service, other options may be available, including separating password databases.
It appears that the August 2022 security breach that LastPass disclosed had a limited scope. User data and the production environment were not breached according to the disclosure.
Now You: do you use a password manager? (via Born)