LastPass released an advisory today informing customers the company was hacked two weeks ago. The password management company stated they had been breached through a compromised developer account that hackers used to access the LastPass developer environment. The advisory claims there is no evidence that customer data or encrypted password vaults were compromised but portions of the company’s source code were stolen. Additionally, the company stated that customers master passwords were not compromised because they “utilize an industry standard Zero Knowledge architecture that ensures LastPass can never know or gain access to our customers’ Master Password.” LastPass has not provided further details regarding the attack, how the threat actors compromised the developer account, and what source code was stolen.
LastPass did not recommend any action be taken on behalf of their users or administrators as their information was not compromised. However, the company did recommend users update their devices and setup multifactor authentication on their accounts. Additionally, they provided the following guidelines for user’s master passwords.
• A minimum of 12 characters (the longer the better!)
• Upper case, lower case, numeric, and special character values
• A random, memorable passphrase (but one that’s not easily guessed)
• No personal information (pet names, street addresses, family names)