LastPass, one of the most popular third-party password managers, is warning all users of a “security incident” that its team is actively investigating. In a blog post on Wednesday, the company assured users that “passwords remain safely encrypted”.
“We have determined that an unauthorized party, using information obtained in the August 2022 incident, was able to gain access to certain elements of our customers’ information,” wrote Karim Toubba, LastPass CEO. “As part of our efforts, we continue to deploy enhanced security measures and monitoring capabilities across our infrastructure to help detect and prevent further threat actor activity.”
The breach is related to an August incident in which “an unauthorized party gained access to portions of the LastPass development environment through a single compromised developer account and took portions of source code and some proprietary LastPass technical information.” At the time, LastPass said there was “no evidence of any unauthorized access to customer data in our production environment.”
Now, LastPass says the unauthorized party was able to gain access to “certain elements of our customers’ information.” Toubba doesn’t elaborate on what those elements are or how many users were affected. LastPass makes Mac and iOS apps and is very popular among Apple users.
Lastpass said it worked with cybersecurity firm to investigate Mandiant to investigate the incident and confirmed it had notified law enforcement of the attack.
While passwords appear to be safe, it’s not a bad idea to change your master password if you use LastPass. And certainly keep an eye on any of your accounts for suspicious activity until we learn more.
We have advice on choosing a strong password in a separate article.