LastPass, a password manager with more than 33 million users around the world, issued a statement Thursday night to say that its systems were attacked by cybercriminals two weeks ago and that information from its source code, along with proprietary technical information the company was robbed.
The company also indicated in its statement that it does not consider that passwords have been compromised during the security breach, since it uses a Zero Knowledge, which prevents its system from storing access credentials, so it would not be necessary for your clients to take preventive measures.
The investigation carried out by LastPass, as detailed in the publication, identified that the cybercriminals entered through a developer account that was compromised and that their products and services “continue to function normally.”
As indicated in the company’s statement, security measures in LastPass systems and the incident are in a state of containment. In addition, he stated that, in response to the incident, “a leading cybersecurity and forensic analysis company has been hired.”
An expert with the computer security incident response team, said he was surprised by how long it took LastPass to inform its customers about the incident.
“To some, two weeks may seem like a long time, incident response teams may take time to fully assess the situation before reporting it,” he told the US outlet. He also added that the extent of the damage caused by the cyberattack will take time to determine, but that it does not appear to have affected LastPass users.
For now, the affected company indicated that it will keep its clients informed regarding this incident.
Password managers are secure key administrators for different accounts or websites that require access credentials to access user accounts or profiles. In this way, people can spend more time browsing the internet.
Although browsers, such as Chrome, already offer options related to password management, external services have additional options, such as the creation of random passwords automatically, alerts of unreliable passwords or that were leaked by someone on the Internet.
During the first registration of the user and the password on a web page, the password manager saves this information so that, the next time, the data is auto-completed. In this way the user does not have to write them again.
The generation of keys is different for each of the user’s accounts and it is possible that, in some cases, the password managers offer data storage such as personal documents (DNI, passport, driver’s license, etc).
In some cases, the master password is stored locally or on an encrypted server so that if there is a vulnerability, or a computer attack directed at the manager, the user information is not compromised. To keep access to the different accounts secure, it is recommended to change the password of the users periodically, in addition to using several levels of authentication to prevent unauthorized access from other devices remotely.
Information security specialist, currently working as risk infrastructure specialist & investigator.
15 years of experience in risk and control process, security audit support, business continuity design and support, workgroup management and information security standards.