LastPass, one of the most popular password managers in the world with 25 million users, has acknowledged a breach. In a warning released on August 25, LastPass CEO Karim Toubba said that “portions of source code and some proprietary LastPass technical information” had been taken by an unauthorized person.
What is LastPass?
LastPass is a password manager that stores your passwords in a secure database and encrypts them with a master password. It can generate strong passwords for you and autofill them on websites and apps. LastPass can also share passwords with other people and sync across all of your devices.
LastPass is a great way to keep your passwords safe and secure. It’s easy to use and helps you stay organized. If you’re looking for a password manager, we highly recommend giving LastPass a try.
Incident timeline
Lastpass sent out a notice on August 27th at 2:05 am regarding a potential security incident on their network.
According to LastPass the events were as follows:
“Two weeks ago, we detected some unusual activity within portions of the LastPass development environment. After initiating an immediate investigation, we have seen no evidence that this incident involved any access to customer data or encrypted password vaults.
We have determined that an unauthorized party gained access to portions of the LastPass development environment through a single compromised developer account and took portions of source code and some proprietary LastPass technical information. Our products and services are operating normally. In response to the incident, we have deployed containment and mitigation measures and engaged leading cybersecurity and forensics firms. While our investigation is ongoing, we have achieved a state of containment, implemented additional enhanced security measures, and see no further evidence of unauthorized activity. “
While the incident seems somewhat benign, it wasn’t explained how the developer account was compromised. This could mean that there is a bigger security issue that involves the compromise of LastPass’s network itself but at this point this is unclear.
Have user master passwords been affected?
LastPass has stated that they have never stored any master passwords for their users, which means there is zero chance of any user’s master password being affected in this data breach.
Has user vault data been leaked?
This incident occurred solely in the development environment and there is zero evidence showing that any unauthorized access to user vault’s occurred. Furthermore, they ensure that only customers have access to decrypt vault data.
Has any personal information been leaked?
Their investigation has discovered no evidence that any unauthorized access to customer data occurred.
What action should customers take?
At this time no action is required on the end of customers to maintain company security. For more information on the incident check LastPass’s official statement regarding the incident here: Notice of recent Security Incident
Best Read: Google faces record-breaking DDOS Attack
