“An unauthorized party gained access to portions of the LastPass development environment through a single compromised developer account and took portions of source code and some proprietary LastPass technical information,” the makers of the popular password manager LastPass announced on Thursday, but reassured users that the Master Passwords securing their password vaults are safe.
LastPass says that they detected the breach two weeks ago, but that they haven’t (to this date) discovered evidence of the attacker gaining access to customer data in their production environment or encrypted password vaults.
“This incident did not compromise your Master Password. We never store or have knowledge of your Master Password. We utilize an industry standard Zero Knowledge architecture that ensures LastPass can never know or gain access to our customers’ Master Password,” the company added.
The attacker apparently got in by compromising a developer account. How, exactly? LastPass hasn’t shared.
The company is sending out emails to notify users of the breach, but is not requiring them to change their Master Password. Nevertheless, they are urging users to follow security best practices to keep their accounts secure. These practices involve keeping devices updates, using strong, unique passwords, and setting up multifactor authentication (MFA) for additional security.
Unfortunately, it’s impossible to predict how the stolen source code and technical information will end up being used by attackers. There is the possibility of it helping attackers to discover vulnerabilities that can be exploited to compromise accounts.
In the past 5-6 years, several vulnerabilities in LastPass and its extensions were flagged by Google researcher Tavis Ormandy.
UPDATE (September 19, 2022, 03:45 a.m. ET):
LastPass has completed the investigation and confirmed that the threat actor’s activity was limited to a four-day period in August 2022 and they did not access any customer data or encrypted password vaults.
“In order to validate code integrity, we conducted an analysis of our source code and production builds and confirm that we see no evidence of attempts of code-poisoning or malicious code injection. Developers do not have the ability to push source code from the Development environment into Production. This capability is limited to a separate Build Release team and can only happen after the completion of rigorous code review, testing, and validation processes,” they added.