August 26, 2022

LastPass has released a security advisory confirming a breach via a compromised developer account that attackers used to gain access to the company’s developer environment.

Upon gaining access, the attacker stole the company’s source code and proprietary technical information.

“In response to the incident, we have developed containment and mitigation measures and engaged a leading cybersecurity and forensics firm. While our investigation is ongoing, we have achieved a state of containment, implemented additional enhanced security measures and saw no further evidence of unauthorized activity,” the LastPass advisory states.

LastPass has yet to provide details about the attack, including how the threat actors compromised the developer account and which source code was stolen.

However, the company said that passwords were not compromised during the cyberattack although the company stores passwords in ‘encrypted vaults’ that can only be decrypted with a customer’s master password.

An earlier hack in 2021 allowed attackers to confirm the user’s master password. This means that it is now important for users to enable multi-fsctor authentication on their LastPass accounts, which will help prevent threat actors from accessing their accounts even if their data is compromised.

The sources for this piece include an article in BleepingComputer.