LastPass was hacked, but says no user data was compromised | gadget

In August, LastPass had accepted that an “unauthorized party” managed to break into your system. Any news about a password manager being hacked can be alarming, but the company is now assuring its users that their logins and other information were not compromised in the event.

In its last update Commenting on the incident, LastPass CEO Karim Toubba said the company’s investigation with cybersecurity firm Mandiant revealed that the malefactor had insider access to its systems for four days. They were able to steal some of the password manager’s source code and technical information, but their access was limited to the service’s development environment that is not connected to customer data or encrypted vaults. Additionally, Toubba pointed out that LastPass does not have access to users’ master passwords, which are necessary to crack their vaults.

The CEO said there is no evidence that this incident “involves any access to customer data or encrypted password vaults.” They also found no evidence of unauthorized access beyond those four days and no trace of the hacker injecting malicious code into the systems. Toubba explained that the bad actor was able to infiltrate the service’s systems by compromising a developer’s endpoint. The hacker then posed as the developer “once the developer had been successfully authenticated using multi-factor authentication.”

In 2015, LastPass suffered a security breach that compromised users’ email addresses, authentication hashes, password reminders, and other information. A similar breach would be more devastating today, now that the service reportedly has more than 33 million registered customers. While LastPass isn’t asking users to do anything to keep their data safe this time around, it’s always a good practice not to reuse passwords and enable multi-factor authentication.