One of the biggest reasons someone decides to use a password manager is to avoid having to remember every single password they have for websites, apps, and other services.
By using a password manager, all they need is to remember one strong password, and leave the rest to the password manager. And LastPass, a freemium password management service that stores encrypted passwords in private accounts, is designed to help internet users to protect their online accounts, is the most popular choice for many people.
And that reason alone is enough to make it an alluring target for cybercriminals.
Years back, Google researchers found a major security problem in LastPass, and years later, LastPass was accused for experiencing a data breach that exposed its users' login credentials, which allowed the malicious activity to take place.
And this time, summing everything up, LastPass confirmed that it has been hacked.
It is said that someone managed to bypass the security used by LastPass to secure users passwords.
Fortunately, the Boston-based company, whose technology is used by 30 million users and 85,000 businesses worldwide, said that customer password information was not compromised.
This was announced by the company CEO Karim Toubba, in a blog post.
The company said that it realized the hack taking place when it detected unusual activity in its development environment. It was only after launching an investigation, that the company found that an unauthorized person was bypass its security measure.
"We have determined that an unauthorized party gained access to portions of the LastPass development environment through a single compromised developer account," wrote Toubba said.
To contain the attack, LastPass said it has deployed containment and mitigation measures and "engaged a leading cybersecurity and forensics firm."
In the FAQ that accompanied the report, Toubba wrote that the hackers didn't compromise any master passwords, simply because they are hidden from the company via its zero knowledge architecture.
"This incident did not compromise your Master Password. We never store or have knowledge of your Master Password. We utilize an industry standard Zero Knowledge architecture that ensures LastPass can never know or gain access to our customers’ Master Password," the company said,
Toubba also wrote that there was no evidence that attack compromised users’ passwords, which are decrypted, or any user data.
He also wrote that LastPass does not recommend any user action for now.
We recently detected unusual activity within portions of the LastPass development environment and have initiated an investigation and deployed containment measures. We have no evidence that this involved any access to customer data. More info: https://t.co/cV8atRsv6d pic.twitter.com/HtPLvK0uEC
— LastPass (@LastPass) August 25, 2022
While it may seem to end users, that the hack didn't cause too much damage, they are wrong.
This is because the hackers who bypassed LastPass security measures, managed to steal some of the software's source code, as well as some proprietary LastPass technical information.
And while LastPass has not provided further details regarding the attack, how the threat actors compromised the developer account, and what source code was stolen, subsequent interviews made LastPass to provide added information.
In particular, the company said that, “in line with the company’s culture of transparency, LastPass is in the process of contacting our customers about the incident.”
Then there is the major concern about whether the stolen proprietary data can pave the way for cybercriminals to uncover vulnerabilities in the company’s password management products because after all, LastPass is the most popular password manager solution in terms of number of users.
Regardless, LastPass’ products and services are not affected by the hack, and are operating normally.
And with regard to the incident, the company has also implemented additional enhanced security measures, and is also evaluating further mitigation techniques to strengthen the cybersecurity environment.
Months later, LastPass got hacked again. It is said that hackers use the data obtained in the first hack, to regain access to LastPass' system.