Security Advisory: LastPass Security Breach
CVE number(s) | N/A
Affected products | LastPass Password Manager
Description of Vulnerability or Software Flaw
Early this month, Password management organisation, LastPass, encountered a security breach resulting in unauthenticated access to their development environment. LastPass announced that a compromised developer account allowed threat actors to access to a portion of the LastPass developer environment, resulting in the theft of proprietary technical information and source code.
LastPass have stated in their security advisory that there is no evidence of “any access to customer data or encrypted password vaults”, and have included a number of FAQs regarding user information, master passwords, and vault information. Currently, their investigation is ongoing.
Identification and remediation
Although LastPass have not specified the details of the stolen source code, threat actors could have gained access to encryption methods used by the organisation, regarding the encryption and decryption of Master Passwords. LastPass do not store copies of passwords or Master Passwords in plain text due to their Zero knowledge architecture. Therefore, encrypted vault data, passwords, Master Passwords, and customer personal information has not been compromised in this security breach.
Although LastPass have stated that they “don’t recommend any action on behalf of our users or administrators”, Loop recommends users ensure multi-factor authentication is enabled on LastPass accounts, and accounts associated with credentials saved in LastPass vaults.