LastPass, a global leader in password management solutions, has reported a data breach as the result of a cyberattack. LastPass is employed by approximately 30 million individuals worldwide, including 85,000 business customers.
After detecting suspicious activity in early August, LastPass discovered that an unauthorized third party had gained access to a single compromised developer account. The access to the account offered the attacker access to the LastPass development environment. To determine what data the hackers had obtained, LastPass immediately began a forensic investigation. The company learned that parts of its source code and certain proprietary LastPass technical data were obtained by the attackers.
Breach Notification letters have been sent to customers in order to inform people and to reassure them that, while some company information was taken in the attack, user password vaults were unaffected, and the malware had no impact on the firm’s goods or services. Fortunately, LastPass was able to limit hacker access due to its zero-knowledge model, in which access to encrypted password vaults are restricted to the individual only. Users can access their password vaults using multi-factor authentication and providing a master password.
LastPass have implemented a multitude of containment and mitigation measures with the help of a cybersecurity firm to limit the damage of the attack and to prevent further data breaches in the future. The company has maintained that they will continue to evaluate further mitigation security measures to improve its cybersecurity. LastPass has not advised its users to take any action to prevent or mitigate harm as no evidence has been found for any unauthorized access to customer data. The company does recommend, however, for users to follow the company’s best practices regarding setup and configuration of LastPass.
“While our investigation is ongoing, we have achieved a state of containment, implemented additional enhanced security measures, and see no further evidence of unauthorized activity,” states Karim Toubba, CEO of LastPass.
LastPass has previously experienced a cyberattack in 2015, in which cyberattackers acquired customer credential information. Despite hackers having access to hashed passwords only in cases where users with weak master passwords were targeted, LastPass provided a complete password reset for users.