LastPass reports hack, but no password resets required

LastPass reports a data breach. A hacker would have accessed the company’s systems through a developer account and would have stolen parts of source code and ‘patented technical information’, but no user data.

LastPass underlined that it “is not currently recommending any action to users or administrators” of the service. This is because master passwords and the contents of the vaults have apparently not been stolen. LastPass does not say so in such absolute terms but states that “no evidence of unauthorized access to encrypted vault data has been found.” The burglary happened two weeks ago.

As is known, LastPass stores the data about its customers encrypted. This ensures that if a digital intruder manages to get hold of this data, he will still have to decrypt it. LastPass itself also cannot access customer data, which is why users are permanently locked out if they forget their password and the various password recovery options do not help.

“In response to the incident, we have taken steps to mitigate and mitigate the situation. We have engaged a leading cybersecurity and research firm. While our investigation is ongoing, we have put in place a state of containment and additional security measures. We see no further evidence of unauthorized activity.”

A LastPass vault in Google Chrome