Main Highlights:
- Hackers have stolen the source code of LastPass, but the users are safe now.
- It happened a couple of weeks back, but we are now getting to know about it.
- They also retained the services of a cybersecurity and forensics firm.
LastPass, a password management service, reported that its developer account had been compromised and source code data had been taken. According to its official announcement, the encrypted passwords of its users were not hacked.
They confirmed that their developer environment had been compromised about two weeks ago. The source code and confidential information were stolen as a result of the breach.
According to the company, the hacker gained access to the developer environment by compromising a single developer account.
This month, bad actors attacked LastPass, a password management service, allowing them to obtain source code and other technical knowledge.
LastPass CEO Karim Toubba addressed the situation in a blog post. LastPass is used by over 33 million individuals worldwide.
The company issues an official statement.
According to LastPass CEO Karim Toubba, a hacker obtained access to elements of the LastPass development environment via a single hacked developer account and stole pieces of source code as well as certain sensitive LastPass technical knowledge. “Our goods and services are fully operational,” he added.
“We spotted some strange behaviour inside areas of the LastPass development environment two weeks ago,” he explained. “We have found no indication that this issue entailed any access to client data or encrypted password vaults after launching an immediate investigation.” We concluded that an unauthorised entity obtained access to sections of the LastPass development environment via a single hacked developer account and stole source code as well as certain confidential LastPass technical knowledge.
According to Toubba, LastPass implemented containment and mitigation measures. It also retained the services of a cybersecurity and forensics firm.
“We have established a state of containment, applied more improved security measures, and find no further signs of illegal activity,” he stated. “We are considering further mitigation strategies to enhance our environment based on what we have learnt and done.”
There was no customer data accessed.
According to LastPass, their review found no indication of illegal access to client data in its production environment. Furthermore, the event did not jeopardise its clients’ master passwords. They are encrypted and saved on their device, and they are used to access their vault and its contents safely.
“Password managers make it incredibly easy to utilise distinct strong passwords across several accounts,” he explained. “However, if the master password is hacked or the password vault is somehow abused, the consequences can be severe.” Fortunately, no user data or password vaults appear to have been hacked in this situation. However, source code has been confirmed stolen, and attackers will be on the lookout for any flaws to exploit.”
Users Must Remain Alert
Users should be cautious now that LastPass has been hacked, according to Davidson. They should keep up with the news and keep an eye out for any strange behaviour or login alerts across their accounts.
“It is critical to setup all of LastPass’ available multifactor authentication (MFA) options, including the usage of an authenticator app to safeguard logins (SMS has been demonstrated to be vulnerable to SIM swap attacks”),” he stated. “Most users will do further MFA confirmations using a mobile device.” It is critical that this be also safeguarded.”
“Over the last few years, LastPass has been a major target for hostile actors,” he added. “This makes sense given that LastPass controls millions of websites and applications. In the event of stolen source code, I would be more concerned about where the malicious actor may have been or may still be in my environment.
What is LastPass?
LastPass is a password management application that allows you to securely store all of your internet login credentials (usernames and passwords) in one place.
It can generate unique, difficult-to-crack passwords for each site account and store them in your vault, freeing you from memorising a huge number of long, complex sequences.
Only a master pass may access and utilise the securely saved login credentials. As a result, users just need to generate and remember the master pass. The firm has around 33 million users worldwide.
Aside from LastPass, the other alternative password management systems include Apple’s iCloud Keychain and Google Password Manager.