Home SecurityData Breach Password manager LastPass reveals intrusion into development system

Password manager LastPass reveals intrusion into development system

Source Link

LastPass, maker of a popular password management application, revealed Thursday that an unauthorized party gained access to its development environment through a compromised developer account and stole some source code and proprietary technical information. An initial probe of the incident has revealed no evidence that customer data or encrypted password vaults were accessed by the intruder, CEO Karim Toubba stated in a company blog post.

Toubba explained that the master passwords of the company’s users are protected by a zero-knowledge architecture, which prevents LastPass from knowing or accessing those passwords.

“Our products and services are operating normally,” adds LastPass spokesperson Nikolett Bacso Albaum. “In response [to the incident], we immediately initiated an investigation, deployed containment and mitigation measures, and engaged a leading cybersecurity and forensics firm.”

“While our investigation is ongoing,” she continues, “we have achieved a state of containment, implemented additional enhanced security measures, and see no further evidence of unauthorized activity.”

Password managers an attractive target

While the motive of the people responsible for this LastPass incident is unknown, password managers are a challenging but attractive target for threat actors, observes Melissa Bischoping, an endpoint security research specialist with Tanium, an endpoint management and security company. “They unlock—quite literally—a treasure trove of access to hundreds of thousands of accounts and sensitive customer data in an instant, if they are breached,” she says.

Also unknown is how the developer account was compromised. Presumably, LastPass had proper authentication controls in place, but sometimes “even strong authentication solutions are not enough for various reasons,” says Rajiv Pimplaskar, CEO of Dispersive Holdings, a secure access service edge provider.

Copyright © 2022 IDG Communications, Inc.

Related Articles

Leave a Comment