One of the world’s biggest password managers with 25 million users, LastPass has been hacked, the company has confirmed. In an advisory, LastPass CEO, Karim Toubba confirmed that an unauthorised party had stolen “portions of source code and some proprietary LastPass technical information”. Two weeks ago, LastPass detected some unusual activity within portions of its development environment, the company said.
Also read: North Korea’s Lazarus Group Infamous For WannaCry Hack Now Targets Mac Users With Fake Job Posts
“We have determined that an unauthorized party gained access to portions of the LastPass development environment through a single compromised developer account and took portions of source code and some proprietary LastPass technical information. Our products and services are operating normally,” the company CEO said in a statement.
According to LastPass, in response to the hacking incident, it has deployed containment and mitigation measures, and engaged a leading cybersecurity and forensics firm. “While our investigation is ongoing, we have achieved a state of containment, implemented additional enhanced security measures, and see no further evidence of unauthorized activity,” Toubba added.
Also read: Beware! This Italian Spyware Is Hacking Apple iPhones And Android Smartphones
“Based on what we have learned and implemented, we are evaluating further mitigation techniques to strengthen our environment,” the company CEO noted.
The company has included a brief FAQ along with the advisory of what it anticipates will be the most pressing initial questions and concerns from its users and mentioned that it would continue to update users with the “transparency” they deserve.
The company noted that the hacking incident did not compromise users’ “Master Password” as it never stores or have knowledge of users’ Master Password. It utilises Zero Knowledge architecture that ensures LastPass can never know or gain access to our customers’ Master Password.
Further, according to LastPass’ investigation, there has been no evidence of any unauthorised access to customer data in its production environment.