LastPass, one of the world’s biggest password managers having more than 25 million users, has confirmed the data breach. The company rolled out an email to the users with an advisory while news titled “LastPass Hacked” is spreading like wildfire.
In the advisory published on August 25, Karim Toubba, the LastPass Ceo stated that an unauthorized party had stolen “portions of source code and some proprietary LastPass technical information.” However, no customers’ passwords or accounts were affected.
The password management firm got hacked a couple of weeks ago in one of the biggest security breaches of 2022. Insiders revealed some details to multiple news outlets stating that employees were scrambling to contain the attack after the breach.
LastPass was Hacked Two Weeks Ago; Issued Advisory on August 25
A hacker infiltrated LastPass, GoTo (previously LogMeIn, Inc)-owned password manager two weeks ago. The company’s initial investigation reveals the intrusion was only able to seize the company’s internal systems for software development.
Fortunately, no data concerning customer passwords and details were affected. On Thursday, August 25, 2022, LastPass sent out an email to customers about the breach.
“We have determined that an unauthorized party gained access to portions of the LastPass development environment through a single compromised developer account and took portions of source code and some proprietary LastPass technical information,” the email stated.
“We have no evidence that this incident involved any access to customer data or encrypted password vaults,” it added.
LastPass has employed Containment and Mitigation measures
In response to the data breach, LastPass has deployed “containment and mitigation measures.” Additionally, they have also hired a leading cybersecurity firm to investigate the intrusion. The company has also posted an FAQ confirming that all LastPass products and services are uninterrupted and operating normally.
LastPass hasn’t shared any other details as the password manager initiates a forensics investigation. However, the major concern remains that the stolen proprietary data might make way for cybercriminals to uncover vulnerabilities in the company’s operations.
For now, the company’s FAQ states that LastPass doesn’t store information on the “Master Password” customers use to access their accounts over the password management services.
Instead, the company works with a “zero-knowledge encryption” mechanism to unlock access to a user’s account. This means the Master Password is only stored on the customer’s device and their memory.
How to Protect Yourself from the LastPass Data Breach?
Since LastPass doesn’t store the Master Password anywhere and uses the “zero knowledge” model, there’s no need to worry if you are a LastPass user. However, the company still remains concerned to prevent any future hacking attempts or compromises.
The password manager’s FAQ also states, “At this time, we don’t recommend any action on behalf of our users or administrators.” If you are still worried, you can implement some general measures like changing your Master Password and not storing it on your device.
You should also use a strong combination of alphabets and numbers to create your password. Don’t use random series like 12345678 or general words like your name or location. Using a hard-to-crack password online is a must these days.
Change your LastPass Master Password
The master password to your LastPass account is an all-in-one key that unlocks access to everything in your account including all the site passwords, secure notes, form fill items, etc. Follow these steps to change your LastPass master password:
- Launch a web browser and visit this page.
- Now log in with your email address and master password.
- Next, choose Account Settings from the left navigation.
- On the General tab, click on “Change Master Password.”
- Now enter your current master password.
- Next, enter a new master password and enter a password hint.
- Finally, click on “Save Master Password.”
After resetting the master password, write it on a piece of paper using a ballpoint pen and keep the paper somewhere safe. Don’t throw it away in a random drawer or under your mattress. Making a copy of the paper is also recommended.
LastPass also suffered a Credential Stuffing last year
LastPass also suffered a credential stuffing attack last year that resulted in threat actor access to master passwords. The company confirmed that master passwords were stolen by hackers. The intruders also distributed the RedLine password-stealing malware on systems.
LastPass released the following statement in response to the attack, “Our initial findings led us to believe that these alerts were triggered in response to attempted “credential stuffing” activity, in which a malicious or bad actor attempts to access user accounts (in this case, LastPass) using email addresses and passwords obtained from third-party breaches related to other unaffiliated services.”
“We quickly worked to investigate this activity and, at this time, have no indication that any LastPass accounts were compromised by an unauthorized third party as a result of these credential stuffing attempts, nor have we found any indication that user’s LastPass credentials were harvested by malware, rogue browser extensions, or phishing campaigns.”
Before that, LastPass reported a security vulnerability in its extension for Google Chrome. Although it wasn’t exactly a breach many Internet users were left worried due to the news.
For now, the situation is under the company’s control. We’ll keep you updated on further developments.