BETA
This is a BETA experience. You may opt-out by clicking here

More From Forbes

Transforming The Future Of Cybersecurity
FBI Issues New Warning As 2024 Gift Card Hackers Blitz Retailers
Apple Hacked Again—These 2 Hackers Can’t Stop Finding Security Flaws
Google Issues Warning For 2 Billion Chrome Users
Dell Confirms Database Hacked—Hacker Says 49 Million Customers Hit
iOS 18—Apple’s New AI Security Move Will Transform Your iPhone Forever
Edit Story
ForbesInnovationCybersecurity

LastPass Hacked: Password Manager With 25 Million Users Confirms Breach

Davey Winder
Senior Contributor
Opinions expressed by Forbes Contributors are their own.
Veteran cybersecurity and tech analyst, journalist, hacker, author
Following

One of the world's biggest password managers with 25 million users, LastPass, has confirmed that it has been hacked. In an advisory published on August 25, Karim Toubba, the LastPass CEO, said that an unauthorized party had stolen "portions of source code and some proprietary LastPass technical information."

What was accessed during the LastPass network breach?

The breach appears to have been of the development servers, facilitated by a compromise of a LastPass developer account and took place two weeks ago. Incident responders have contained the breach, and LastPass says there is no evidence of further malicious activity. Toubba also confirmed that neither has evidence been found of any customer data or encrypted password vaults being accessed.

ForbesGoogle Confirms New Attack Can Read All Gmail Messages: Iran Accounts TargetedBy Davey Winder

Has your LastPass master password or password vault been compromised?

LastPass users will, of course, be concerned that a hacker could have got hold of the keys to their online kingdom: their passwords. However, LastPass has made it clear that, courtesy of the 'zero knowledge' architecture implemented, master passwords are never stored. "LastPass can never know or gain access to our customers' master password," Toubba said, "this incident did not compromise your master password." As such, LastPass says that no action is required by users in regard to their password vaults.

MORE FROMFORBES ADVISOR

Best Travel Insurance Companies

By
Amy Danise
Editor

Best Covid-19 Travel Insurance Plans

By
Amy Danise
Editor

Not their first rodeo

While LastPass should be congratulated for the transparency being displayed in response to this incident, it isn't the first time that users of the password manager have had to deal with news of a breach. In June 2015, the company confirmed that hackers had accessed the network. Then, unlike now, users were prompted to change master passwords when logging in.

ForbesNew Gmail Attack Bypasses Passwords And 2FA To Read All EmailBy Davey Winder

Concerns over what LastPass technical information was stolen

It's good news that customer data was not compromised in this latest incident, but the fact that the intruder accessed source code and 'proprietary technical information' is worrying. Especially as there are no further details regarding exactly what has been stolen.

This is a breaking and, therefore, still developing story. I will update this article as more information becomes known.

Follow me on Twitter or LinkedInCheck out my website or some of my other work here
Davey Winder
Davey Winder
Following

Join The Conversation

Comments 

One Community. Many Voices. Create a free account to share your thoughts. 

Read our community guidelines .

Forbes Community Guidelines

Our community is about connecting people through open and thoughtful conversations. We want our readers to share their views and exchange ideas and facts in a safe space.

In order to do so, please follow the posting rules in our site's Terms of Service.  We've summarized some of those key rules below. Simply put, keep it civil.

Your post will be rejected if we notice that it seems to contain:

  • False or intentionally out-of-context or misleading information
  • Spam
  • Insults, profanity, incoherent, obscene or inflammatory language or threats of any kind
  • Attacks on the identity of other commenters or the article's author
  • Content that otherwise violates our site's terms.

User accounts will be blocked if we notice or believe that users are engaged in:

  • Continuous attempts to re-post comments that have been previously moderated/rejected
  • Racist, sexist, homophobic or other discriminatory comments
  • Attempts or tactics that put the site security at risk
  • Actions that otherwise violate our site's terms.

So, how can you be a power user?

  • Stay on topic and share your insights
  • Feel free to be clear and thoughtful to get your point across
  • ‘Like’ or ‘Dislike’ to show your point of view.
  • Protect your community.
  • Use the report tool to alert us when someone breaks the rules.

Thanks for reading our community guidelines. Please read the full list of posting rules found in our site's Terms of Service.