The part that might cause concern is the fact that source code was stolen, particularly as the password manager has opted not to share specific details about what made it out the door. The hacker would not be able to get at locally-stored master passwords, and the encrypted vaults are secured with strong encryption protocols. In terms of handling user login credentials and stored data, LastPass appears to be doing everything right to minimize the impact of such a security breach. Password managers offer sound credential and data security, but theft of source code is concerning It reiterated its list of existing practices such as annual penetration testing, its bug bounty program and free regular dark web monitoring for the appearance of password manager credentials. LastPass also did not make mention of any new security measures being added in response to the breach. The company is not currently recommending that its password manager customers take any special action in response to the security breach. The wording of the announcement indicated that the development environment is separate from the architecture used to handle encrypted vault data. The LastPass announcement stressed that the security breach could not have compromised customer “Master Passwords” due to the password manager’s “Zero Knowledge” architecture, which does not store these credentials on a company server. The investigation did not turn up any illicit access to the encrypted password vaults or customer credentials, but did apparently provide the attacker with “portions of source code” and some amount of “proprietary technical information.” The company said that it had detected unusual activity in its password manager development environment two weeks prior and had traced it back to a single compromised developer account. LastPass issued notice of the security breach on August 25. Security breach at LastPass not a direct threat to customer credentials, but nature of stolen information remains unknown
0 Comments
Leave a Reply. |