As a result of an unauthorized intrusion into LastPass’ internal network, users have been notified of a security incident.
In a statement released yesterday (August 25), LastPass CEO Karim Toubba said portions of the software firm’s production environment were exhibiting “unusual activity.”
An investigation revealed that attackers had gained access through a hacked developer account and “took portions of source code and some proprietary LastPass technical information.”
Fortunately, LastPass’ zero-knowledge architecture prevented users’ master passwords from being compromised in this attack.
According to the company, there was no indication that encrypted vault data had been accessed unauthorized. The zero-knowledge model ensures that only the customer can decrypt vault data.”
Mitigation measures
A cybersecurity and forensics firm has been engaged to provide LastPass with “containment and mitigation” measures.
“Although we are still investigating, the investigation has been contained, and additional enhanced security measures have been implemented,” Toubba said.
“At this time, we don’t recommend any action on behalf of our users or administrators.”
