The company states that user data remains secure and it continues to investigate the incident. Credit: Hernan4429 / Getty Images LastPass, maker of a popular password management application, revealed Thursday that an unauthorized party gained access to its development environment through a compromised developer account and stole some source code and proprietary technical information. An initial probe of the incident has revealed no evidence that customer data or encrypted password vaults were accessed by the intruder, CEO Karim Toubba stated in a company blog post.Toubba explained that the master passwords of the company’s users are protected by a zero-knowledge architecture, which prevents LastPass from knowing or accessing those passwords.“Our products and services are operating normally,” adds LastPass spokesperson Nikolett Bacso Albaum. “In response [to the incident], we immediately initiated an investigation, deployed containment and mitigation measures, and engaged a leading cybersecurity and forensics firm.” “While our investigation is ongoing,” she continues, “we have achieved a state of containment, implemented additional enhanced security measures, and see no further evidence of unauthorized activity.” Password managers an attractive targetWhile the motive of the people responsible for this LastPass incident is unknown, password managers are a challenging but attractive target for threat actors, observes Melissa Bischoping, an endpoint security research specialist with Tanium, an endpoint management and security company. “They unlock—quite literally—a treasure trove of access to hundreds of thousands of accounts and sensitive customer data in an instant, if they are breached,” she says.Also unknown is how the developer account was compromised. Presumably, LastPass had proper authentication controls in place, but sometimes “even strong authentication solutions are not enough for various reasons,” says Rajiv Pimplaskar, CEO of Dispersive Holdings, a secure access service edge provider. LastPass able to contain the damageTaylor Ellis, customer threat analyst at Horizon3.ai, an automated penetration testing as a service company, praises LastPass for the way it has handled the incident. “Whenever a breach occurs, many organizations fail to isolate the incident quickly, or they struggle with how to guide a proper security investigation,” she explains. “As an experienced security company, LastPass at least had the home team advantage by following the correct procedures, isolating the issue on time, and preventing their customers from being severely impacted by the breach.” Related content news Fortinet grabs cloud security player Lacework Fortinet will integrate Lacework's technology across its secure access service edge (SASE) and Security Fabric packages. By Michael Cooney Jun 11, 2024 1 min Cloud Security news Netskope secures SaaS apps with genAI Enhancements to Netskope’s cloud access security broker (CASB) module aim to secure the use of genAI and SaaS applications. By Denise Dubie Jun 11, 2024 1 min Network Security feature The risks in mergers and acquisitions CISOs need to know Ignoring cybersecurity in M&As can result in devastating breaches, financial loss, and operational disruptions. Learn about the tell-tale signs that could put business deals at risk. By Aimee Chanthadavong Jun 11, 2024 8 mins Cyberattacks Mergers and Acquisitions Risk Management feature Certified Ethical Hacker (CEH): Certification cost, training, and value Certified Ethical Hacker (CEH) is an early-career certification for security pros interested in assessing target systems using techniques often associated with hackers to help identify vulnerabilities for employers or clients. Learn how it will impac By Josh Fruhlinger Jun 11, 2024 9 mins Certifications Penetration Testing Careers PODCASTS VIDEOS RESOURCES EVENTS SUBSCRIBE TO OUR NEWSLETTER From our editors straight to your inbox Get started by entering your email address below. Please enter a valid email address Subscribe