Hacker Steals Source Code, Proprietary Data From LastPassSecurity Experts Continue to Recommend Password Managers as Security Best Practice
A threat actor gained unauthorized access to the source code and proprietary technical information of password manager LastPass, the company told its customers on Thursday.
The unauthorized user compromised a single developer account to steal portions of the LastPass development environment, the company says. There is "no evidence" the attacker gained access to customer data or encrypted password vaults, LastPass spokesperson Nikolett Bacso-Albaum tells Information Security Media Group. The incident occurred two weeks ago.
The company says its zero knowledge model ensures that only customers can access decrypted password vault data. LastPass products and services were not disrupted by the incident, Bacso-Albaum adds.
LastPass says it has contained the impact from the incident, implemented additional security measures, and hired a security and forensics firm to conduct the investigation.
"We are evaluating further mitigation techniques to strengthen our environment," says Karim Toubba, CEO of LastPass.
This isn't the first time LastPass has been a target for hackers, including a 2015 incident that saw attackers make off with usernames and hashed master passwords (see: LastPass Sounds Breach Alert). Users with strong master passwords used for unlocking access to the password vault had little cause for concern - even less so if they activated multifactor authentication.
Strong security practices by the password manager industry has security experts continuing to recommend password managers as a best practice. A recent study found password strength increases significantly when users use an application to manage passwords. The 2019 study, led by human-centered security researcher Karen Renaud, found only about 10 percent of a surveyed student population used password managers.
A late 2021 online survey by Security.org found the adoption rate to be 20 percent, the same percentage of the population that admitted to reusing the same handful of passwords for online account access.