Another LastPass Incident

Lastpass

The popular password manager, LastPass has recently issued a security notification about an incident they experienced. Below are the details:

Dear valued customer,

In keeping with our commitment to transparency, we wanted to inform you of a security incident that our team is currently investigating.

We recently detected unusual activity within a third-party cloud storage service, which is currently shared by both LastPass and its affiliate, GoTo. We immediately launched an investigation, engaged Mandiant, a leading security firm, and alerted law enforcement.

We have determined that an unauthorized party, using information obtained in the August 2022 incident, was able to gain access to certain elements of our customers’ information. Our customers’ passwords remain safely encrypted due to LastPass’s Zero Knowledge architecture.

We are working diligently to understand the scope of the incident and identify what specific information has been accessed. As part of our efforts, we continue to deploy enhanced security measures and monitoring capabilities across our infrastructure to help detect and prevent further threat actor activity. In the meantime, we can confirm that LastPass products and services remain fully functional. As always, we recommend that you follow our best practices around the setup and configuration of LastPass, which can be found here.

As is our practice, we will continue to provide updates as we learn more. Please visit the LastPass blog for the latest information related to the incident: https://blog.lastpass.com/2022/11/notice-of-recent-security-incident/.

We thank you for your patience while we work through our investigation.

Sincerely,
The Team at LastPass

They also posted some FAQs to about this incident

1. Has my Master password or the Master Password of my users been compromised?

No. This incident did not compromise your Master Password. We never store or have knowledge of  your Master Password. We utilize an industry standard Zero Knowledge architecture that ensures LastPass can never know or gain access to our customers’ Master Password. You can read about the technical implementation of Zero Knowledge here.

2. Has any data within my vault or my users’ vaults been compromised?

No. This incident occurred in our development environment. Our investigation has shown no evidence of any unauthorized access to encrypted vault data.  Our zero knowledge model ensures that only the customer has access to decrypt vault data.

3. Has any of my personal information or the personal information of my users been compromised?

No. Our investigation has shown no evidence of any unauthorized access to customer data in our production environment.

4. What should I do to protect myself and my vault data?

At this time, we don’t recommend any action on behalf of our users or administrators. As always, we recommend that you follow our best practices around setup and configuration of LastPass which can be found here.

5. How can I get more information?

We will continue to update our customers with the transparency they deserve.