Password manager LastPass with 33 mn global users 'hacked'; users' password safe
US-based LastPass, a password manager used by more than 33 million people worldwide, reported that a hacker recently stole source code and confidential information after breaking into its systems. According to its recent blog post, the company does not think any passwords were taken as part of the breach and users need not have to take any action to secure their accounts.
An investigation determined that an "unauthorised party" cracked into its developer environment, which is the software that employees use to build and maintain Last Pass’ product. The perpetrators were able to gain access through a single compromised developer's account, reported Bloomberg.
The attack struck a company that generates and stores hard-to-crack, auto-generated passwords for multiple accounts, like Netflix or Gmail, on behalf of its users - without the need to manually enter credentials, it said.
Cybersecurity website Bleeping Computer reported that it had asked LastPass about the breach two weeks ago. Allan Liska, an analyst on the Computer Security Incident Response Team at cybersecurity company Recorded Future, said that he was impressed with the "speedy notification" from LastPass.
“In response to the incident, we have deployed containment and mitigation measures, and engaged a leading cybersecurity and forensics firm,” Karim Toubba, Chief Executive Officer at LastPass said.
While he said that the 2008-founded company will continue to update users as and when needed, Toubba also assured that the incident did not compromise users’ master password. “We never store or have knowledge of your Master Password. We utilise an industry standard Zero Knowledge architecture that ensures LastPass can never know or gain access to our customers’ Master Password,” he said.
"While two weeks might seem like a long time to some, it can take a while for incident response teams to fully assess and report on a situation," Liska said. "It will take time to fully determine the extent of any damage that may have been as result of the breach. However, for now it appears to not be client-impacting."
"It is unlikely that the stolen source code will give the criminals access to customer passwords," he added.