Password management giant LastPass has revealed details of a security incident earlier this month in which proprietary information was stolen by threat actors.
The company said that the intrusions took place two weeks ago. The firm said that the intrusion took place two weeks ago.
“We have determined that an unauthorized party gained access to portions of the LastPass development environment through a single compromised developer account and took portions of source code and some proprietary LastPass technical information. Our products and services are operating normally.”
“In response to the incident, we have deployed containment and mitigation measures, and engaged a leading cybersecurity and forensics firm. While our investigation is ongoing, we have achieved a state of containment, implemented additional enhanced security measures, and see no further evidence of unauthorized activity.”
LastPass emphasised that it has no evidence that customer data or encrypted password vaults were accessed in the breach. The breach was confirmed to the developer environment.
In an FAQ, the firm said “we never store or have knowledge of your Master Password… We utilize an industry standard Zero Knowledge architecture that ensures LastPass can never know or gain access to our customers’ Master Password.”
Customers can do nothing about the breach at this point.
Back in 2015, threat actors managed to access LastPass account email addresses, authentication hashes, password reminders, and “server per user salts”.
In 2021, LastPass announced it would become a standalone company again, after being acquired by LogMeIn for $125m that year.