Mon | Aug 29, 2022 | 3:30 PM PDT

LastPass, the password manager that stores encrypted passwords online, recently experienced a security incident resulting in a portion of the company's source code being stolen, as well as some proprietary technical information.

According to LastPass CEO Karim Toubba, the incident occurred approximately two weeks ago when the organization detected some unusual activity.

After a thorough investigation, the company was able to determine that an unauthorized third party gained access to its development environment through a single compromised developer account.

Though the threat actor stole some files containing source code, there is no evidence that suggests they were able to access any customer data or password vaults. Toubba said that LastPass's products and services are operating normally.

He also shared how the company responded to the situation:

"In response to the incident, we have deployed containment and mitigation measures, and engaged a leading cybersecurity and forensics firm. While our investigation is ongoing, we have achieved a state of containment, implemented additional enhanced security measures, and see no further evidence of unauthorized activity."

Tom Davison, Senior Director at Lookout, shared insight into the incident and some advice for LastPass users:

"Password managers make it really easy to use unique strong passwords across multiple accounts, which is a key first step to staying secure online.  However, if the master password is compromised, or the password vault somehow exploited, then the impact can be very high.

Fortunately, it does not appear that user data or password vaults have been compromised in this case, however source code was confirmed stolen and attackers will be looking hard for potential weaknesses to exploit.  

LastPass users should stay vigilant, follow the news and watch for any unusual activity or login notifications across their accounts. It is really important to configure all of the available MFA settings provided by LastPass, including the use of an authenticator app to secure logins (SMS has been shown to be vulnerable to SIM swap attacks). For most users, additional MFA confirmations will be done via a mobile device; it is vital that this is secured too."

LastPass security incident FAQs

If you are a LastPass customer, you probably received an email last Friday notifying you of the security incident and that though there was some unusual activity, customer data was not impacted. But what exactly does that mean for you, as a customer?

LastPass provided some additional information, with answers to what they anticipate to be the five most frequently asked questions.

  1. Has my Master Password or the Master Password of my users been compromised? 

    No. This incident did not compromise your Master Password. We never store or have knowledge of  your Master Password. We utilize an industry standard Zero Knowledge architecture that ensures LastPass can never know or gain access to our customers' Master Password. You can read about the technical implementation of Zero Knowledge here.

  2. Has any data within my vault or my users' vaults been compromised? 

    No. This incident occurred in our development environment. Our investigation has shown no evidence of any unauthorized access to encrypted vault data. Our zero knowledge model ensures that only the customer has access to decrypt vault data.  

  3. Has any of my personal information or the personal information of my users been compromised?

    No. Our investigation has shown no evidence of any unauthorized access to customer data in our production environment.  

  4. What should I do to protect myself and my vault data? 

    At this time, we don't recommend any action on behalf of our users or administrators. As always, we recommend that you follow our best practices around setup and configuration of LastPass which can be found here.

  5. How can I get more information?

    We will continue to update our customers with the transparency they deserve.  

Follow SecureWorld News for more cybersecurity coverage.