It’s a day ending in Y, which means yet more news of security breaches. On Thursday, Lastpass notified users that its developer environment was infiltrated—but also was quick to reassure customers that password vaults and customer data are safe.
In the announcement sent via email and posted to its blog, the company describes the root issue as a compromised developer account, through which part of LastPass’s source code and proprietary technical info were taken. At this time, LastPass says it has taken steps to isolate and mitigate the issue, as well as hired an outside cybersecurity and forensic team, with the investigation still ongoing. Users are not currently being advised to change their master password.
This is not the first time LastPass has reported a hack of its service. In 2015, the company experienced unauthorized access of user account email addresses, password reminders, and authentication hashes. Other vulnerabilities have been revealed as well—Tavis Ormandy, a Google Project Zero researcher, noted in 2016 he’d found problems with LastPass’s service, and in 2017 news broke of a browser extension vulnerability that allowed websites to steal passwords. In 2019, Ormandy also discovered another browser extension vulnerability that made it possible for the last used password to be leaked.
If you’re a current LastPass user, you might be nervous about this news, even despite calm responses from prominent figures in the security field. LastPass does earn accolades for its day-to-day experience, including our top recommendation for a paid password manager, but security breaches and even communication mishaps (like last December’s acc ..
Support the originator by clicking the read the rest link below.
