Password Manager Lastpass Used By 25 Million People Has Been Hacked:

by | Mar 7, 2024

With 25 million users, one of the most popular password managers in the world is LastPass. LastPass has acknowledged that it has been compromised. In a warning sent on August 25, LastPass CEO Karim Toubba said that “portions of source code and certain private LastPass technical knowledge” had been taken by an unauthorised person.

During The Lastpass Network Hack, What Was Accessed?

Two weeks ago, a LastPass developer account was compromised, which appears to have led to a hack of the development servers. The breach has been confined by incident responders, and according to LastPass, there is no sign of any more malicious activity. Toubba further reaffirmed that no proof of any client data or encrypted password vaults being accessed has been discovered.

Has The Security Of Your Lastpass Vault Or Master Password Been Compromised?

Users of LastPass will undoubtedly be worried that a hacker may have obtained the passwords to their online kingdom. However, LastPass has made it plain that master passwords are never saved because of the ‘zero knowledge’ architecture used. According to Toubba, “LastPass can never know or obtain access to our clients’ master passwords. Your master password was not compromised by this event.” As a result, according to LastPass, users don’t need to do anything to maintain their password vaults.

It’s Not Their First Time In A Fight:

Although LastPass should be commended for its openness in handling this event, customers of the password manager have previously had to cope with breaking news of a hack. The business acknowledged that hackers had infiltrated the network in June 2015. Users were then, unlike today, prompted to modify master passwords upon signing in.

Concerns With The Technical Data Taken From Lastpass Include:

The fact that this most recent incident did not result in the exposure of consumer data is encouraging, but the fact that the hacker had access to source code and “private technical knowledge” is concerning. Particularly given that there are no more facts regarding what specifically has been stolen.

As a breaking news story, this one is still unfolding.Customers of LastPass received the notice of the most recent security incident listed below.

Notice of Recent Security Incident

To All LastPass Customers,
I want to inform you of a development that we feel is important for us to share with our LastPass business and consumer community.
Two weeks ago, we detected some unusual activity within portions of the LastPass development environment. After initiating an immediate investigation, we have seen no evidence that this incident involved any access to customer data or encrypted password vaults.
We have determined that an unauthorized party gained access to portions of the LastPass development environment through a single compromised developer account and took portions of source code and some proprietary LastPass technical information. Our products and services are operating normally.
In response to the incident, we have deployed containment and mitigation measures, and engaged a leading cybersecurity and forensics firm. While our investigation is ongoing, we have achieved a state of containment, implemented additional enhanced security measures, and see no further evidence of unauthorized activity.
Based on what we have learned and implemented, we are evaluating further mitigation techniques to strengthen our environment. We have included a brief FAQ below of what we anticipate will be the most pressing initial questions and concerns from you. We will continue to update you with the transparency you deserve.
Thank you for your patience, understanding and support.
Karim Toubba
CEO LastPass
FAQs
1. Has my Master password or the Master Password of my users been compromised?

No. This incident did not compromise your Master Password. We never store or have knowledge of your Master Password. We utilize an industry standard Zero Knowledge architecture that ensures LastPass can never know or gain access to our customers’ Master Password. You can read about the technical implementation of Zero Knowledge here.

2. Has any data within my vault or my users’ vaults been compromised?
No. This incident occurred in our development environment. Our investigation has shown no evidence of any unauthorized access to encrypted vault data. Our zero knowledge model ensures that only the customer has access to decrypt vault data.
3. Has any of my personal information or the personal information of my users been compromised?
No. Our investigation has shown no evidence of any unauthorized access to customer data in our production environment.
4. What should I do to protect myself and my vault data?
At this time, we don’t recommend any action on behalf of our users or administrators. As always, we recommend that you follow our best practices around setup and configuration of LastPass which can be found here.

5. How can I get more information?

We will continue to update our customers with the transparency they deserve.