Users’ master passwords are safe, thanks to company’s ‘zero knowledge’ architecture

LastPass flags security incident after attackers stole source code, technical information

LastPass has alerted users to a security incident after an unauthorized party gained access to the company’s internal network.

In a statement issued yesterday (August 25), LastPass CEO Karim Toubba said “unusual activity” was detected within portions of the software firm’s production environment.

Read more of the latest password security news

A subsequent investigation revealed that attackers had gained access through a compromised developer account and “took portions of source code and some proprietary LastPass technical information”.

LastPass was quick to note that users’ master passwords were not compromised as part of this attack, due to the company’s ‘zero knowledge’ architecture.

“Our investigation has shown no evidence of any unauthorized access to encrypted vault data,” the company added. “Our zero knowledge model ensures that only the customer has access to decrypt vault data.”

Mitigation measures

In response to the incident, LastPass said it has deployed “containment and mitigation” measures and engaged a cybersecurity and forensics firm.

“While our investigation is ongoing, we have achieved a state of containment, implemented additional enhanced security measures, and see no further evidence of unauthorized activity,” Toubba said.

“At this time, we don’t recommend any action on behalf of our users or administrators.”

INSIGHT Fragmented vendor ecosystem leaves media industry increasingly vulnerable to supply chain threats