- The incident did not compromise your master password or the master password of your users.
- No data within your or your users’ vault was compromised.
- There’s no evidence that your personal information was compromised.
- No action is required. Just make sure you follow best practices around the setup and configuration of LastPass.
Password manager with over 25 million users admitted to being hacked — an attacker exfiltrated portions of internal data.
"Two weeks ago, we detected some unusual activity within portions of the LastPass development environment," Karim Toubba, CEO of LastPass, said.
The company has seen no evidence of customer data or encrypted password vaults being compromised.
Toubba said an attacker managed to breach systems through a compromised developer account. They took portions of source code and some proprietary LastPass technical information.
"Our products and services are operating normally," Toubba assured.
The investigation of the breach is still ongoing, but the company said it saw no further evidence of unauthorized activity.
Cybernews reached out to LastPass to learn more about the incident, but its spokesperson told Cybernews the company was not providing anything beyond what has been shared until further notice.
This is not the first scare for LastPass customers in recent history. Last December, a LastPass user submitted a post to Hacker News, stating that they received a security alert from LastPass about a blocked login attempt from Brazil. According to the user, the person who attempted the login was using their LastPass account's master password.
As panic among LastPass users began to spread across social media, the company launched an investigation into the possible incident. "Our initial findings led us to believe that these alerts were triggered due to LastPass's ongoing efforts to defend its customers from bad actors and credential stuffing attempts," the company then said, while users were urged to change their master passwords and enable multi-factor authentication.
Chris Morgan, a Senior Cyber Threat Intelligence Analyst at Digital Shadows, said that it is realistically possible that threat actors may have gained access to valuable information that could be used to launch further attacks on the company or its customers.
“At this time, LastPass has however clarified that users do not need to take any further actions to protect themselves, as no passwords, including master passwords, are believed to have been accessed. The incident also does not diminish the usefulness of password managers, which are still the best way to manage and audit the use of credentials,”Morgan said.
A wave of cyberattacks
LastPass is yet another company that has recently admitted to being breached. Scammers fooled Cloudflare's employees into entering their credentials into a phishing page, but the company successfully thwarted the attack.
The same happened with Twilio. Using the credentials stolen from Twillio employees, attackers gained access to the company's internal systems and exposed 1,900 Signal user numbers.
Group-IB said that the recent attacks on Twilio and Cloudflare were part of a coordinated phishing campaign that compromised nearly 10,000 accounts across 130 organizations.
Fraudsters spoofed identity and access management firm Okta to launch a sophisticated supply chain attack using 169 phishing domains that worked off of keywords such as "SSO," "VPN," "OKTA," "MFA," and "HELP."
It's yet unclear whether LastPass fell victim to the same campaign that Group-IB dubbed 0ktapus.
More from Cybernews:
Subscribe to our newsletter