In August, LastPass admitted that an “unauthorized party” had gained access to its system. Any news about a hacked password manager can be alarming, but the company is now reassuring its users that their logins and other information were not compromised in the case.
In his latest update on the incident, LastPass CEO Karim Toubba said the company’s investigation with cybersecurity firm Mandiant revealed the bad actor had internal access to his systems for four days. They were able to steal some of the password manager’s source code and technical information, but their access was limited to the service’s development environment, which is not connected to customer data and encrypted vaults. Additionally, Toubba pointed out that LastPass doesn’t have access to users’ Master Passwords, which are needed to decrypt their vaults.
The CEO said there was no evidence this incident “involved access to customer data or encrypted password vaults.” They also found no evidence of unauthorized access beyond these four days and no traces that the hacker had smuggled malicious code into the systems. Toubba explained that the attacker was able to infiltrate the service’s systems by compromising a developer’s endpoint. The hacker then impersonated the developer “once the developer successfully authenticated using multi-factor authentication.”
In 2015, LastPass suffered a security breach that compromised users’ email addresses, authentication hashes, password reminders, and other information. A similar breach would be even more devastating today, given that the service is said to have over 33 million registered customers. While LastPass isn’t asking users to do anything to protect their data this time, it’s always good practice not to reuse passwords and enable multi-factor authentication.
All products recommended by Engadget are selected by our editorial team independently from our parent company. Some of our stories contain affiliate links. If you buy something through one of these links, we may receive an affiliate commission. All prices are correct at time of publication.
https://www.engadget.com/lastpass-hacked-no-user-data-was-compromised-064640557.html?src=rss LastPass was hacked, but it says no user data was compromised