Hack in password manager LastPass did not expose users' data: CEO


New Delhi, Sep 18 (IANS): The CEO of popular encrypted password manager LastPass has said that the hacking episode last month did not involve any access to customers' data or encrypted password vaults.

In a latest statement, Karim Toubba, CEO of LastPass admitted that the security breach in August had internal access to the company's systems for four days until they were detected and evicted.

"Our investigation revealed that the threat actor's activity was limited to a four-day period in August 2022. During this timeframe, the LastPass security team detected the threat actor's activity and then contained the incident," Toubba said.

The investigation found that the threat actor gained access to the platform's development environment using a developer's compromised endpoint.

The threat actor utilised their persistent access to impersonate the developer once the developer had successfully authenticated using multi-factor authentication.

"Although the threat actor was able to access the Development environment, our system design and controls prevented the threat actor from accessing any customer data or encrypted password vaults," said the CEO.

LastPass is a freemium password manager that stores encrypted passwords online.

The CEO said that LastPass does not have any access to the master passwords of its customers' vaults.

"Without the master password, it is not possible for anyone other than the owner of a vault to decrypt vault data as part of our Zero Knowledge security model," he mentioned.

The company said it has deployed enhanced security controls, including additional endpoint security controls and monitoring after the incident.

 

  

Top Stories


Leave a Comment

Title: Hack in password manager LastPass did not expose users' data: CEO



You have 2000 characters left.

Disclaimer:

Please write your correct name and email address. Kindly do not post any personal, abusive, defamatory, infringing, obscene, indecent, discriminatory or unlawful or similar comments. Daijiworld.com will not be responsible for any defamatory message posted under this article.

Please note that sending false messages to insult, defame, intimidate, mislead or deceive people or to intentionally cause public disorder is punishable under law. It is obligatory on Daijiworld to provide the IP address and other details of senders of such comments, to the authority concerned upon request.

Hence, sending offensive comments using daijiworld will be purely at your own risk, and in no way will Daijiworld.com be held responsible.