When Lastpass gets the notification of suspicious activity, it quickly launched an investigation and also implemented mitigation measures. The company said it didn't find any evidence that this incident involved any access to customer data or encrypted password vaults.
LastPass admits that an unauthorized actor has gained access to some of LastPass's development environment through a single compromised developer account. The hackers have stolen some of the source code as well as “some proprietary LastPass technical information,”.
However, LastPass mentioned that the master passwords of users are still safe, and haven't been compromised or accessed by the hacker, as LastPass doesn't know or keep a copy of users' master passwords.
“We never store or know your Master Password. We utilize an industry-standard Zero Knowledge architecture that ensures LastPass can never know or gain access to our customers’ Master Password,” the company states in its blog post.
LastPass is not recommending any action at the moment, for users and business account administrators. It has only recommended that users and businesses follow best practices.
Last year, Multiple LastPass users have reported there were login attempts on their accounts using their correct master passwords. People started getting emails from LastPass telling them that the correct master passwords were used, but that the attempts were still blocked due to the unusual geographic location.
Lastpass has announced users will no longer be able to have a free account on both mobile and desktop simultaneously.
Update:
Hacker had Internal Access for Four days
LastPass has updated its hack incidence report after completing the investigation and forensics process.
The investigation has been done in partnership with Mandiant. Their investigation revealed that the threat actor’s activity was limited to four days in August 2022. During this timeframe, the LastPass security team detected the threat actor’s activity and then contained the incident.
There is no evidence of any threat actor activity beyond the established timeline. We can also confirm that there is no evidence that this incident involved any access to customer data or encrypted password vaults.