Posted on August 27, 2022 at 7:36 PM
LastPass Confirms Hacking Attack On Its Password Managing Platform
Password management service LastPass has confirmed that it was recently the subject of a cybersecurity attack. According to the firm, the attack led to the exposure of some technical information and source code from its server. The issue occurred two weeks ago, but the firm has been investigating the incident. According to LastPass, the hackers targeted its development environment, but no encrypted passwords or customer data were accessed.
Chief Executive Officer of LastPass, Karim Toubba, commented on the development. He stated that the unauthorized person accessed parts of the LastPass development environment, stealing portions of the source code as well as some proprietary LastPass technical details.
While LastPass was investigating the incident, it called in for assistance by engaging the services of a forensics and cybersecurity firm. The password management service informed users that it has already implemented additional security solutions to counter any further exposure or breach.
The firm’s management stated that it doesn’t store user passwords on its system, which means no user password or master password was exposed.
No Evidence There Was Access To Encrypted Data
LastPass also stated that the investigation of the incident did not see any evidence of unauthorized access to encrypted data. The company has assured users that users environment is not compromised. At this time, the firm has not recommended any action to be taken but advised users to continue applying security controls and follow best practices to protect their data.
Although LastPass says it has mitigated the attack and no further action is needed, it didn’t provide any details of the exact mitigation method used to strengthen the environment.
The company claims to have more than 100,000 business accounts and over 33 million active users.
The firm has also posted an FAQ for users to get more information about the status f the incident and whether they have been exposed. It noted that all LastPass products and services will be operating normally, despite the breach.
However, there has been a major concern about whether the compromised proprietary data will give way for threat actors to uncover flaws in the firm’s password management product.
LastPass has assured users that it uses a “zero knowledge” encryption model to unlock access to a user’s account. The process involves the storage of the Master Password on the customer’s device only.
However, the company has advised users to ensure that they activate multi-factor authentication (MFA) on their accounts. It will give the users an extra security layer in case the online portal they use is exposed. LastPass has informed users that more updates on the incident and further action to take will come as the investigation on the matter continues.
Twice Attacked Under A Year
This will be the second time LastPass will be suffering a breach within a year. Last December, the company suffered a credential stuffing attack that gave hackers access to a user’s master password. The master passwords, according to the report, were stolen by hackers distributing the RedLine password-stealing malware.
At the time, several LastPass users reported that their master passwords have been breached after receiving warnings that someone tried to log into their accounts from unknown locations.
The notification also informed the user that the security software blocked the loin attempts since they were made from unknown locations.
LastPass later said it was credential stuffing. The company stated that it investigated the reports on blocked login attempts and discovered that it was a common bot-net activity from a bad actor. The firm also noted that there was no information that any user account was successfully accessed, and steps have been taken to keep users safe.
LastPass Urged To Strengthen Security
In June 2015, the password manager had to deal with another breach after confirming that threat actors had accessed the network. Unlike now, users were advised to change their master passwords when they log into the platform. In the latest incident, it’s good that customers’ data was not breached.
However, it is alarming that the threat actors had access to ‘proprietary technical information and source code. This is even more worrying since there are no further details regarded what has been stolen.
While LastPass has been upfront about any hacking incident whenever they occur, the firm has been charged to beef up its security. It has been asked to prioritize the security and protection of customers’ passwords to maintain the rust it has built over the years.