The widely used password manager LastPass reports the theft of parts of its source code. The company also shares the implications for its customers.
Many people use password managers to avoid having to remember all of their Internet access data. These are programs that keep all combinations encrypted in a virtual safe, you only have to remember the password for the manager. This usually increases security, since users tend to use complicated combinations that are difficult to crack. But you get a queasy feeling when you read that the password manager itself was attacked by hackers. That’s exactly what happened to LastPass, one of the world’s most widely used credential vaults.
Two weeks ago, unusual activity was noticed in parts of the LastPass development environment, CEO Karim Toubba writes in a blog post. Investigations have revealed that unknown persons have stolen parts of the source code and some proprietary technical information from LastPass via a compromised developer account.
However, Toubba emphasizes that no evidence was found that the attackers had access to customer data or encrypted password vaults. LastPass engaged a leading cybersecurity and forensics company to further investigate and implement additional security measures.
According to the attached FAQ, there was no way the hackers could have stolen master passwords, since a so-called zero-knowledge architecture ensures that nobody but the users could know them. For the same reason, no data stored in the vault was compromised. In addition, the investigation did not reveal any evidence of theft of personal user data. The all-clear goes so far that LastPass does not recommend any further action to its customers.
This isn’t the first time LastPass has been hacked. Last winter, attackers apparently tried to gain access to user vaults using passwords stolen from other hacks. Again, vault content appears never to have been compromised as long as customers used a one-time master password, according to a statement the company gave to Appleinsider.
Stiftung Warentest only confirmed in June that LastPass is secure. Only two out of 16 test candidates certified very good security functions. Because its handling is somewhat complicated and the product test found very clear deficiencies in the data protection declaration, LastPass did not get more than a satisfactory overall result.