By Tyler Durden
LastPass, one of the world’s most popular password managers, has confirmed it has been
hacked…err, has had a “security incident”.
Last week the company started notifying its users of a “recent security incident” where an “unauthorized party” gained access to a developer account and accessed parts of its password manager’s source code and “some proprietary LastPass technical information,” according to The Verge.
The company said that some source code was stolen, but that no passwords were taken.
It wrote a letter to its users on Wednesday which stated:
“Two weeks ago, we detected some unusual activity within portions of the LastPass development environment. After initiating an immediate investigation, we have seen no evidence that this incident involved any access to customer data or encrypted password vaults.”
It continued: “We have determined that an unauthorized party gained access to portions of the LastPass development environment through a single compromised developer account and took portions of source code and some proprietary LastPass technical information. Our products and services are operating normally.”
“In response to the incident, we have deployed containment and mitigation measures, and engaged a leading cybersecurity and forensics firm. While our investigation is ongoing, we have achieved a state of containment, implemented additional enhanced security measures, and see no further evidence of unauthorized activity,” the letter concluded.
In a FAQ attached to the bottom of the letter, the company says that users Master passwords had not been compromised:
“This incident did not compromise your Master Password. We never store or have knowledge of your Master Password. We utilize an industry standard Zero Knowledge architecture that ensures LastPass can never know or gain access to our customers’ Master Password.”
The company also said that no data from clients vaults had been taken because the hack happened in the developer environment. The letter wrote:
“This incident occurred in our development environment. Our investigation has shown no evidence of any unauthorized access to encrypted vault data. Our zero knowledge model ensures that only the customer has access to decrypt vault data.”
LastPass is used by more than 33 million clients worldwide.
According to the Verge report, the company has explained to its users that they don’t have to do anything specific to respond to the hack. And, as long as this week’s disclosure covered the extent of it, and there’s no additional details about the breach that come out over the next few days, maybe LastPass (and its users) can move forward from the incident…
Provide, Protect and Profit from what’s coming! Get a free issue of Counter Markets today.