Using different passwords on every website and storing them in a secure password manager is a standard best practice in data security. It’s generally good advice, but what happens when the makers of password vaults get hacked?
That’s what the more than twenty-five million users of LastPass are now finding out. LastPass is one of the largest password vaults in the world, and unfortunately, that makes it a tempting target for hackers everywhere. On August 25, 2022, LastPass’ CEO Karim Toubba announced that “an unauthorized third party had stolen portions of the source code and some proprietary LastPass technical information.”
The breach appears to have been confined to the company’s development servers when a developer’s account was compromised. The good news for LastPass customers takes two forms. First is that the development servers did not contain any customer data. Second, LastPass employs “zero knowledge” architecture, meaning that even though it stores your passwords, no one can access your information without your master password.
LastPass stated that the breach had no effect on the master passwords of its users and said that there is no evidence of any more criminal activity. Therefore, there is currently no action that is necessary from those who use their service.
While an investigation into the incident continues, the company said that it has installed new preventative measures and that it has retained the assistance of an industry-leading cybersecurity and forensics firm.