[German]The developers of the web-based password manager online service LastPass have just informed their users about a security incident. Two weeks ago, unusual procedures were detected in the LastPass development environment. Unauthorized third parties probably managed to gain access to parts of the LastPass development environment.
I have been alerted to the LastPass security incident via both Twitter and Facebook by blog readers via personal messages (thanks for that). Blog reader Phil provided me with the text of the notification LastPass sends to affected parties.
Dear valued customer,
We are writing to inform you that we recently detected some unusual activity within portions of the LastPass development environment. We have determined that an unauthorized party gained access to portions of the LastPass development environment through a single compromised developer account and took portions of source code and some proprietary LastPass technical information. We have no evidence that this incident involved any access to customer data or encrypted password vaults. Our products and services are operating normally.
In response, we immediately initiated an investigation, deployed containment and mitigation measures, and engaged a leading cybersecurity and forensics firm. While our investigation is ongoing, we have achieved a state of containment, implemented additional enhanced security measures, and see no further evidence of unauthorized activity.
Based on what we have learned and implemented, we are evaluating further mitigation techniques to strengthen our environment. We will continue to update our customers with the transparency they deserve.
We have set up a blog post dedicated to providing more information on this incident. We thank you for your patience as we work expeditiously to complete our investigation and regret any concerns this may have caused you.
The Team at LastPass
In a nutshell, LastPass has recently detected unusual activity in parts of the LastPass development environment. Upon looking it up, an unauthorized party was found to have gained access to parts of the LastPass development environment through a single compromised developer account and stolen parts of the source code and some proprietary technical information from LastPass.
LastPass developers write that they have no evidence that this incident involved any access to customer data or encrypted password vaults. LastPass products and services are functioning normally, they say.
In response, an investigation was immediately launched, containment and mitigation measures were put in place, and a leading cybersecurity and forensics firm was hired. While that investigation is ongoing, security specialists at LastPass have reached a state of containment (of the attack) – or so they hope. Additionally, improved security measures have been implemented. Currently, the powers that be at LastPass see no further evidence of unauthorized activity.
Based on the lessons learned and the measures implemented, the folks at LastPass are looking into further protective measures. For users of the service, the whole thing seems to have gone off without a hitch so far. No passwords were tapped and the master password is not in danger either. Catalin Cimpanu summarized the whole thing in the following tweet.
LastPass has published the Notice of Recent Security Incident along with a FAQ about the incident on August 25, 2022.
Cookies helps to fund this blog: Cookie settings