Internal source code and documents were stolen from LastPass by a cyber thief.
The password manager maker said Thursday that someone had broken into one of its developer’s accounts and used it to gain access to proprietary data.
The business, a big animal in the security world and based in Massachusetts, insisted its users’ passwords were still secure, adding that the theft happened about two weeks ago. GoTo’s own LastPass is said to have more than 25 million users and 80,000 business customers.
“We determined that an unauthorized party gained access to parts of the LastPass development environment through a single compromised developer account and stole parts of the source code and some proprietary technical information from LastPass,” said CEO Karim Toubba in a expression.
“Our products and services are functioning normally.”
The breach became apparent, we’re told, after “some unusual activity” was detected in the development area of LastPass’s computer network. The software house said it contained the breach, took steps to prevent it from happening again and asked outside infosec experts for help.
We can’t believe people use browsers to manage their passwords, says the maker of password management tools
The chief executive said his team may take additional steps to strengthen its network defenses.
LastPass offers a software vault that stores your website login username and password pairs, saving you the hassle of memorizing long, complex strings of characters: you can create unique and hard-to-crack passwords for each site account and store them in your vault to let. A master passphrase is required to unlock and use these credentials. All you have to do is create that secret phrase and remember it.
We’re told these master passwords are still secure and haven’t been compromised or accessed by the intruder, and the contents of people’s vaults are also untouched. For one thing, LastPass doesn’t know or store a copy of your Master Password: you need to remember and protect it.
Sit back and relax is the message. “Our investigation found no evidence of unauthorized access to customer data in our production environment,” LastPass added in a statement. “At this time, we are not recommending any action on behalf of our users or administrators.”
However, LastPass has not been free of bugs over the years. 2019 it is Firmly A flaw that websites could exploit to steal passwords for accounts on other websites had serious password leaking defect in his code in 2017 and so on. ®
https://www.theregister.com/2022/08/25/lastpass_security/ LastPass source code, blueprints stolen by intruder • The Register