“An unauthorized party gained access to portions of the LastPass development environment through a single compromised developer account and took portions of source code and some proprietary LastPass technical information,” the makers of the popular password manager LastPass announced on Thursday, but reassured users that the Master Passwords securing their password vaults are safe.
What happened?
LastPass says that they detected the breach two weeks ago, but that they haven’t (to this date) discovered evidence of the attacker gaining access to customer data in their production environment or encrypted password vaults.
“This incident did not compromise your Master Password. We never store or have knowledge of your Master Password. We utilize an industry standard Zero Knowledge architecture that ensures LastPass can never know or gain access to our customers’ Master Password,” the company added.
The attacker apparently got in by compromising a developer account. How, exactly? LastPass hasn’t shared.
The company is sending out emails to notify users of the breach, but is not requiring them to change their Master Password. Nevertheless, they are urging users to follow security best practices to keep their accounts secure. These practices involve keeping devices updates, using strong, unique passwords, and setting up multifactor authentication (MFA) for additional security.
Unfortunately, it’s impossible to predict how the stolen source code and technical information will end up being used by attackers. There is the possibility of it helping attackers to discover vulnerabilities that can be exploited to compromise accounts.
In the past 5-6 years, several vulnerabilities in LastPass and its extensions were flagged by Google researcher Tavis Ormandy.
Source: https://www.helpnetsecurity.com/2022/08/26/lastpass-breach/