The LastPass password management platform disclosed it was targeted by a cyberattack two weeks ago. Portions of the company’s source code and proprietary technical information were stolen, Bleeping Computer reported.
Two weeks ago, we detected some unusual activity within portions of the LastPass development environment.
After rumors of the attack surfaced, LastPass confirmed it yesterday in a security advisory, adding that threat actors used a compromised developer account to break into the company’s developer environment.
While the perpetrators ran off with critical data, including parts of the company’s source code and “proprietary LastPass information,” the company says that encrypted password vaults and customer data show no indicators of compromise.
The company left out some critical information, including what portions of the source code were stolen and how the attack took place.
“In response to the incident, we have deployed containment and mitigation measures, and engaged a leading cybersecurity and forensics firm,” reads the security advisory. “While our investigation is ongoing, we have achieved a state of containment, implemented additional enhanced security measures, and see no further evidence of unauthorized activity.”
Last year, several LastPass users fell victim to suspected credential stuffing attacks and were notified by the platform that someone tried logging into their accounts using their master passwords. The platform automatically blocked the attempts that came from unrecognized locations or devices. In credential stuffing attacks, perpetrators brute-force accounts using passwords leaked in data breaches.
To mitigate password cracking attacks such as credential stuffing, users should avoid using the same password for multiple accounts and enable multi-factor authentication (MFA) whenever possible. Furthermore, setting a complex password consisting of random combinations of lowercase and uppercase, alphanumeric, and special characters could decrease the odds of perpetrators breaching your account.
Dedicated software solutions such as Bitdefender Digital Identity Protection can help you keep safe against the influx of data breaches with features like:
- Digital footprint overview that includes traces of no-longer-used services
- Continuous monitoring of public and Dark Web sources and reporting breaches that include your personal data and identity
- Simple solutions to address leaks and digital footprint weak spots