Password manager LastPass has been hacked. Here’s what we know so far

• An unauthorized party had stolen “portions of source code and some proprietary LastPass technical information.”
  
• The breach appears to have been of the development servers, facilitated by a compromise of a LastPass developer account two weeks ago.

Experts have always recommended password managers, to generate unique, strong security codes for our online accounts—which is a great idea, until that password manager itself is breached, potentially offering attackers access to all the accounts it was designed to protect. That is exactly what happened to LastPass, a password manager used by more than 33 million people around the world. The company confirmed yesterday that it has been hacked.

In an advisory published yesterday, CEO Karim Toubba said that an unauthorized party had stolen “portions of source code and some proprietary LastPass technical information.” Toubba said the company detected some unusual activity within portions of the the company’s development environment two weeks ago. Fortunately, the investigation shows no evidence that the incident involved any access to customer data or encrypted password vaults.  

We recently detected unusual activity within portions of the LastPass development environment and have initiated an investigation and deployed containment measures. We have no evidence that this involved any access to customer data. More info: https://t.co/cV8atRsv6d pic.twitter.com/HtPLvK0uEC

— LastPass (@LastPass) August 25, 2022

In simple terms, no passwords were compromised. Instead, an unauthorized party gained access to portions of the the company’s development environment through a single compromised developer account and took portions of source code and some proprietary LastPass technical information. “Our products and services are operating normally,” Toubba clarified.

For context, LastPass offers a software vault that stores your username and password pairs for logging into websites. Users can create unique and tough-to-crack passwords for each site account and have them saved in their vault. A master passphrase is needed to unlock and use these credentials. All a user has to do is create and remember that secret phrase.

In the company’s FAQ section, it says that LastPass never stores or has knowledge of  any user’s Master Password. The company in fact utilizes an industry standard zero knowledge architecture that ensures LastPass can never know or gain access to its customers’ Master Password. That said, in response to the incident, LastPass has deployed containment and mitigation measures, and engaged a leading cybersecurity and forensics firm. 

In general, the zero-knowledge architecture used by the top password managers encrypts passwords before they leave your device. When they’re on a server, even the provider has no way to decipher them. Some password managers will remind you to change passwords regularly and evaluate their strength. Others will scan the dark web to check if any of your logins have appeared online.

“While our investigation is ongoing, we have achieved a state of containment, implemented additional enhanced security measures, and see no further evidence of unauthorized activity,” the CEO said. Though the transparency LastPass has adopted in its in response to this incident is laudable, it isn’t the first time that users of the password manager have had to deal with news of a breach.

In June 2015, the company confirmed that hackers had accessed the network. At that point, unlike now, users were prompted to change master passwords when logging in. In 2017, it had a serious password-leaking flaw in its code. Then in 2019, it fixed a bug that websites could exploit to steal passwords for accounts on other sites.

Even last year, LastPass suffered a credential stuffing attack that allowed threat actors to confirm a user’s master password. That breach saw LastPass master passwords stolen by threat actors distributing the RedLine password-stealing malware.