Some of LastPass’ customers have been informed that information was accessed in a cybersecurity breach, but passwords remain safe.
There are several password managers in the market that aim to reduce the reuse of passwords online, by storing them in a single app. In addition to storing passwords, it also makes them easier to generate as required.
LastPass said in August that the company discovered that some of its source code and technical information had been taken from unauthorized access to a third-party storage service the company had been using.
The company said that while the threat actor had been able to access the company’s development environment, customer data or encrypted passwords had been protected.
In August, LastPass said the attacker had taken portions of source code and some LastPass proprietary technical information, but the firm believed the app’s risk was limited.
LastPass said that its production environment was physically separate to the development environment and not directly connected. The company also verified that there were no attempts to inject malicious code by conducting an analysis of its source code and production builds.
The statement said that developers were not able to push source code from the development environment into production.
“Building and releasing this feature requires a separate build release team, and it can only happen after rigorous code review, testing, and validation processes are completed.”
The CEO, Karim Toubba, informed customers on Wednesday that an “unauthorized party” using information from the prior assault had been able to access “certain elements of our clients’ information.”
The company declined to specify what information was exposed but said passwords remained securely encrypted. Only the user can decrypt the passwords LastPass stores since LastPass doesn’t have access to customers’ master passwords.
Toubba said that they were working hard to understand the extent of the incident and to identify what specific data had been accessed.
“We can assure you that LastPass products and services remain unaffected for the time being.”
More security measures and monitoring to detect any future threat actor activity will be put in place, Toubba said.