LastPass, a password management software company, suffered a data breach that resulted in the theft of source code and proprietary technical information. According to the company, source code theft is not a direct threat to customer credentials, and the users have to do nothing from their end to secure their data.
The details were disclosed in an online notice posted on the company's website. The notice highlighted that the source code breach was unable to compromise customers’ master passwords or any encrypted password vault data. Because LastPass never stores or has access to a customer's master password.
Investigation details
Through a single compromised developer account, the unauthorized party gained access to portions of the LastPass development environment.
- There was no unauthorized access to the password vaults or customer credentials.
- Although the data breach provided the attacker with some critical information, all of the company's products and services were operating as usual.
- CEO Karim Toubba stated that two weeks ago, the company's security team detected unusual activity and immediately launched an investigation, which confirmed the source code theft.
LastPass' response
The company's reaction to the source code data breach was immediate.
- It has already implemented containment and mitigation measures, as well as hired leading cybersecurity and forensics firm to investigate the causes of the source data theft.
- While the investigation is still ongoing, the company has achieved containment, implemented additional enhanced security measures, and no further unauthorized activity has been reported.
- The latest source code data breach comes on the heels on LastPass users being targeted with credential stuffing attacks that use email addresses and passwords obtained from third-party breaches.
Publisher
/https://cyware-ent.s3.amazonaws.com/image_bank/shutterstock_504801349.jpg)
/https://cyware-ent.s3.amazonaws.com/image_bank/iStock_000023173810_Small.jpg)
