A threat actor gained unauthorized access to the source code and proprietary technical information of password manager LastPass, the company told its customers on Thursday.
The unauthorized user compromised a single developer account to steal portions of the LastPass development environment, the company says. There is “no evidence” the attacker gained access to customer data or encrypted password vaults, LastPass spokesperson Nikolett Bacso-Albaum tells Information Security Media Group. The incident occurred two weeks ago.
The company says its zero knowledge model ensures that only customers can access decrypted password vault data. LastPass products and services were not disrupted by the incident, Bacso-Albaum adds.
LastPass says it has contained the impact from the incident, implemented additional security measures, and hired a security and forensics firm to conduct the investigation.
This isn’t the first time LastPass has been a target for hackers, including a 2015 incident that saw attackers make off with usernames and hashed master passwords. Users with strong master passwords used for unlocking access to the password vault had little cause for concern – even less so if they activated multifactor authentication.
