Popular password management company LastPass has confirmed a data breach leading to the theft of its proprietary source code and other technical information. According to the company’s investigations, the hack made its way through a single compromised developer account into the portions of its development environment. LastPass has confirmed that no passwords were stolen and that all user accounts are safe.
“We have determined that an unauthorized party gained access to portions of the LastPass development environment through a single compromised developer account and took portions of source code and some proprietary LastPass technical information,” reads the company’s recent blogpost. LastPass has also assured that all its products and services are operating normally. While the company’s investigation is still underway, it has come together with a leading cybersecurity and forensics firm to deploy containment and mitigation measures to sanitise its development environment. “….we have achieved a state of containment, implemented additional enhanced security measures, and see no further evidence of unauthorized activity.”
For those unaware, LastPass is a leading password managing company that claims using strong encryption algorithms to safeguard all your passwords, payment details, and important login details in one database or vault. You can access this vault using a master password which is created when you sign up for the service. The company has confirmed that the breach has made no harm to the master passwords or the vault.
To recall, this isn’t the first breach that LastPass has faced. The company in 2015 also fell prey to a hack that accessed its users’ email addresses, master passwords, and even the reminder words or phrases that are fed by users while creating their master passwords. The company in response had deployed Hardware Security Modules (HSMs) that are designed to protect the cryptographic infrastructure of LastPass.
“We’ve implemented dozens of other changes, large and small, to strengthen our systems and improve the service going forward. We’ve opened up a paid bug bounty program to source security improvements from the research community. We’re adding scrypt as an additional layer to strengthen the authentication hashes server-side, adding further protection against large-scale brute-force attacks,” it then wrote in a blog post.
