LastPass Confirms Security Breach, No User Data Exposed
source link: https://news.softpedia.com/news/lastpass-confirms-security-breach-no-user-data-exposed-535997.shtml
Go to the source link to view the article. You can view the picture content, updated content and better typesetting reading experience. If the link is broken, please click the button below to view the snapshot at that time.
A security incident was detected earlier this month
LastPass has publicly acknowledged a security incident, revealing that a developer account was compromised, with cybercriminals managing to access portions of the source code and some proprietary technical information.
The security breach took place earlier this month, LastPass says, and after an investigation, the company was able to confirm that no user data was exposed.
With the help of a cybersecurity and forensics firm, LastPass says it determined that users’ master passwords and vaults haven’t been compromised – for what it’s worth, the master passwords aren’t being stored on LastPass servers in the first place.
“Two weeks ago, we detected some unusual activity within portions of the LastPass development environment. After initiating an immediate investigation, we have seen no evidence that this incident involved any access to customer data or encrypted password vaults,” LastPass explains.
“We have determined that an unauthorized party gained access to portions of the LastPass development environment through a single compromised developer account and took portions of source code and some proprietary LastPass technical information. Our products and services are operating normally.”
No action required on the user side
Given the breach only affected the development environment, LastPass didn’t discover any unauthorized access to customer data, so no further actions are required on the user side.
“This incident occurred in our development environment. Our investigation has shown no evidence of any unauthorized access to encrypted vault data. Our zero knowledge model ensures that only the customer has access to decrypt vault data. At this time, we don’t recommend any action on behalf of our users or administrators. As always, we recommend that you follow our best practices around setup and configuration of LastPass,” the company says.
No further information has been offered on the group that managed to break in, and LastPass promises it’s already working on further mitigation techniques to block similar attempts in the future.
Recommend
About Joyk
Aggregate valuable and interesting links.
Joyk means Joy of geeK