World’s Most Popular Password Manager, With More Than 33 Million Users, Discloses “Security Incident”
August 27, 2022 3:17 pm
Tags: discloses, incident”, joshwho, manager, Media, million, more, most, News, password, popular, Security, than, users, with?, world’s, ZeroHedge
Categories: JoshWho News news media US News ZeroHedge
LastPass, one of the world’s most popular password managers, has confirmed it has been
hacked…err, has had a “security incident”.
Last week the company started notifying its users of a “recent security incident” where an “unauthorized party” gained access to a developer account and accessed parts of its password manager’s source code and “some proprietary LastPass technical information,” according to The Verge.
The company said that some source code was stolen, but that no passwords were taken.
It wrote a letter to its users on Wednesday which stated: “Two weeks ago, we detected some unusual activity within portions of the LastPass development environment. After initiating an immediate investigation, we have seen no evidence that this incident involved any access to customer data or encrypted password vaults.”
It continued: “We have determined that an unauthorized party gained access to portions of the LastPass development environment through a single compromised developer account and took portions of source code and some proprietary LastPass technical information. Our products and services are operating normally.”
“In response to the incident, we have deployed containment and mitigation measures, and engaged a leading cybersecurity and forensics firm. While our investigation is ongoing, we have achieved a state of containment, implemented additional enhanced security measures, and see no further evidence of unauthorized activity,” the letter concluded.
In a FAQ attached to the bottom of the letter, the company says that users Master passwords had not been compromised: “This incident did not compromise your Master Password. We never store or have knowledge of your Master Password. We utilize an industry standard Zero Knowledge architecture that ensures LastPass can never know or gain access to our customers’ Master Password.”
The company also said that no data from clients vaults had been taken because the hack happened in the developer environment. The letter wrote: “This incident occurred in our development environment. Our investigation has shown no evidence of any unauthorized access to encrypted vault data. Our zero knowledge model ensures that only the customer has access to decrypt vault data.”
LastPass is used by more than 33 million clients worldwide.
According to the Verge report, the company has explained to its users that they don’t have to do anything specific to respond to the hack. And, as long as this week’s disclosure covered the extent of it, and there’s no additional details about the breach that come out over the next few days, maybe LastPass (and its users) can move forward from the incident…
- Court Rejects Joe Biden Push to Remove Block on Student Debt Transfer Program December 1, 2022
- Continuing Jobless Claims Hit 10-Month Highs As Layoffs Exploded In November December 1, 2022
- Schiff: Fed Soft Pivot In Play; Markets Ignore Powell’s Hawkish Talk December 1, 2022
- Fed’s Favorite Inflation Signal Dips (Holds Near 40 Year Highs) As Savings Rate Crashed December 1, 2022
- EU Threatens to Ban Twitter Over Elon Musk’s Free Speech Plans December 1, 2022
- Biden Admin Pledges $53 Million To Help Restore Ukraine’s Damaged Power Grid December 1, 2022
- EU Threatens Musk With Twitter Ban Over Content Moderation December 1, 2022
- ‘Operation Pelican’: Details Of UK’s Secret Op To Seize Assange Revealed December 1, 2022
- Miami Nightclubs Are Starting To Miss Rich Crypto Nerds November 30, 2022
- Escobar: The Global South Births A New Game-Changing Payments System November 30, 2022
- Number Of Handgun Owners Carrying Daily Nearly Doubles In US November 30, 2022
- D.C. Think Tank Urges America To “Invest” In Zelensky’s $1 Trillion Reconstruction Plan November 30, 2022
- Texas Parent Shocks School Board With Graphic Library Books November 30, 2022
- “Crypto Bros” Dump G-Wagons And McLarens Amid Digital Asset Bust November 30, 2022
- Fact Check: Karine Jean-Pierre Falsely Claims Biden Has Visited Border November 30, 2022
- WH: We Won’t Tell Apple to Allow AirDrop in China Because They’re Private, That’s a Different Situation from Us Vowing to Watch Twitter November 30, 2022
- White House Laughs Off Kevin McCarthy’s Invitation to Joe Biden to Visit Southern Border November 30, 2022
- GOP Leader Kevin McCarthy Confident About Speaker Vote: ‘We’ll Get There’ Even If Multiple Ballots Are Needed November 30, 2022
- South Korea Scrambles Jets To Warn Off Inbound Chinese-Russian Joint Bomber Patrol November 30, 2022
- Wall Street Reacts To Powell’s Dovish Speech As Markets Explode Higher November 30, 2022
- Not Acxiom (unverified) - 51,730,831 breached accounts November 22, 2022In 2020, a corpus of data containing almost a quarter of a billion records spanning over 400 different fields was misattributed to database marketing company Acxiom and subsequently circulated within the hacking community. On review, Acxiom concluded that "the claims are indeed false and that the data, which has been readily available across multiple environments, […]
- GGCorp - 2,376,330 breached accounts November 8, 2022In August 2022, the MMORPG website GGCorp suffered a data breach that exposed almost 2.4M unique email addresses. The data also included IP addresses, usernames and MD5 password hashes.
- Lolzteam - 398,011 breached accounts November 6, 2022In May 2018, the Russian hacking forum Lolzteam suffered a data breach that exposed 400k members. The impacted data included usernames and email addresses which were later redistributed via another hacking forum. The data was provided to HIBP by a source who requested it be attributed to "ZAN @ BF".
- Doomworld - 34,478 breached accounts October 24, 2022In October 2022, the Doomworld fourm suffered a data breach that exposed 34k member records. The data included email and IP addresses, usernames and bcrypt password hashes.
- E-Pal - 108,887 breached accounts October 24, 2022In October 2022, the service dedicated to finding friends on Discord known as E-Pal disclosed a data breach. The compromised data included over 100k unique email addresses and usernames spanning approximately 1M orders. The data was subsequently distributed via a popular hacking forum.
- Wakanim - 6,706,951 breached accounts October 6, 2022In August 2022, the European streaming service Wakanim suffered a data breach which was subsequently advertised and sold on a popular hacking forum. The breach exposed 6.7M customer records including email, IP and physical addresses, names and usernames.
- Bhinneka - 1,274,340 breached accounts October 6, 2022In early 2020, the Indonesian consumer electronics website Bhinneka suffered a data breach that exposed almost 1.3M customer records. The data included email and physical addresses, names, genders, dates of birth, phone numbers and salted password hashes.
- TAP Air Portugal - 5,067,990 breached accounts September 23, 2022In August 2022, the Portuguese airline TAP Air Portugal was the target of a ransomware attack perpetrated by the Ragnar Locker gang who later leaked the compromised data via a public dark web site. Over 5M unique email addresses were exposed alongside other personal data including names, genders, DoBs, phone numbers and physical addresses.
- Brand New Tube - 349,627 breached accounts September 8, 2022In August 2022, the streaming website Brand New Tube suffered a data breach that exposed the personal information of almost 350k subscribers. The impacted data included email and IP addresses, usernames, genders, passwords stored as unsalted SHA-1 hashes and private messages.
- START - 7,455,386 breached accounts August 30, 2022In August 2022, news broke of an attack against the Russian streaming service "START". The incident led to the exposure of 44M records containing 7.4M unique email addresses. The impacted data also included the subscriber's country and password hash. START subsequently acknowledged the incident in a Telegram post and stated that the data dated back […]