News of the LastPass hack first emerged on August 25, when the company’s CEO, Karim Toubba, confirmed that an unauthorized party had stolen portions of the code and some proprietary technical information from the servers. Passwords stored in the service are encrypted, but it is recommended that many people still change their passwords immediately as an extra precaution. What you need to know about this hack and how it impacts you.
How did this happen?
Two weeks ago, LastPass detected some unusual activity within portions of the LastPass development environment. After initiating an immediate investigation, LastPass has seen no evidence that this incident involved any access to customer data or encrypted password vaults.
LastPass have determined that an unauthorized party gained access to portions of the LastPass development environment through a single compromised developer account and took portions of source code and some proprietary LastPass technical information. Currently LastPass products and services are operating normally.
What does this mean for you?
Due to the poor Identity and access management best practices, today LastPass is ashamed Infront of 25 Million users, it is also possible that many of 25 Million will never trust them anymore.
What should I do?
We advise you to change your LastPass stored passwords, as well as we would advise you to change any similar passwords that have not been saved with LastPass too.
Although LastPass has not asked anyone to change their password, Prevention is always better than Cure.
Do I need to change my passwords now?
You should change all passwords in direct services, so you should login to apps and websites that store your account information and change the password there directly. Prioritizing applications and data should be based on their criticality to you.
Are any passwords compromised?
As per last pass issues official post https://blog.lastpass.com/2022/08/notice-of-recent-security-incident/ , hackers was unable to reach to the customer data and passwords.
Good news: the password-saving site appears not to have leaked any passwords. Bad news: its source code has been compromised.
A2Talks advice to all who want to learn from others mistakes:
currently there are many incidents involving identities being compromised, such as LastPass and Okta. Both organizations were trustworthy. The fact that these kinds of breaches are occurring, only proves that CISO’s who think Identity Management is just a help desk are completely wrong. If we look at this breach from CISO’s point of view, the developer identity was compromised and used to claim the LastPass servers access. After the implementation of IAM best practices (MFA, PAM, IGA, UBA) LastPass would no longer be ashamed again Infront of 25 Million users.