LastPass was hacked, but user data was not affected

LastPass is still reporting the August hack. No user data has been compromised, but caution is still advised.

LastPass acknowledged in August that an “unauthorized person”was able to infiltrate its systems. Information of this nature from a hacked password manager is worrisome, but today the company wants to reassure its users that their IDs and other personal information were not compromised during this incident.

LastPass is still reporting a hack in August

In his latest post on this hack, LastPass CEO Karim Tubba explained that the company’s investigation with cybersecurity company Mandiant found that the attacker had internal access to its systems for four days. The latter was able to steal the password manager’s source code and technical information, but his access was limited to the service’s development environment, which is not linked to user data or encrypted vaults. In addition, Karim Tubba clarified that LastPass does not have any access to users’ master passwords, which are required to decrypt the vaults.

User data has not been compromised

The CEO also clarified that there is no evidence that this incident “is related to any access to personal data or encrypted password vaults.”They also found no evidence of unauthorized access beyond that four-day period and no evidence of any malicious code being introduced into the systems. Karim Tubba claims that the attacker was able to infiltrate system systems by compromising the developer’s system. The hacker was then able to impersonate the latter “after successfully authenticating with two-factor authentication.”

But caution is always in order

LastPass experienced a security breach in 2015 that compromised email addresses, user ID hashes, password reminders, and other user information. Such a shortcoming would be disastrous today, when the service has more than 33 million registered customers. While LastPass doesn’t advise its users to take any specific action, it’s always a good idea to not reuse passwords and enable two-factor authentication.