LastPass, a password management provider, was breached two weeks ago, giving threat actors access to the company’s source code and confidential technical data. The details were revealed when a leading media outlet learned of the breach from insiders last week and contacted the business on August 21 but did not hear back.
Sources revealed that staff members were frantically trying to stop the intrusion after LastPass was compromised. After receiving inquiries regarding the intrusion, LastPass issued a security alert that it had been attacked by hackers who gained access to the company’s developer environment via a compromised developer account. Although threat actors did obtain some of LastPass’s source code and “proprietary LastPass technical information,” the company claims there is no evidence that user data or encrypted password vaults were stolen.
“In response to the incident, we have deployed containment and mitigation measures, and engaged a leading cybersecurity and forensics firm,” explains the LastPass advisory. “While our investigation is ongoing, we have achieved a state of containment, implemented additional enhanced security measures, and see no further evidence of unauthorized activity.”
LastPass has not offered any more information regarding the incident, how the threat actors got access to the developer account, and what source code was taken. One of the world’s most prominent password management firms, LastPass, claims that over 33 million users and 100,000 organizations employ their services.
There are always worries that if the firm were hacked, threat actors would have access to the saved passwords even if customers and companies utilize the company’s software to store their credentials safely. But according to LastPass, its “encrypted vaults”— where passwords are kept — can only be opened with a user’s master password, which the company claims was unaffected by the incident.
Last year, LastPass experienced a credential stuffing incident that gave threat actors access to a user’s master password. It was also discovered that threat actors disseminating the password-stealing software RedLine had obtained LastPass master passwords. In order to prevent threat actors from accessing your account even if your password is hacked, it is crucial to set up multi-factor authentication on your LastPass accounts.