LastPass, a password manager with more than 33 million users around the world, released a statement Thursday night to say that its systems were attacked by cyber criminals two weeks ago and what information from your source codealong with technical information owned by the company, was stolen.
The company also indicated in its statement that it does not consider that the passwords of users have been compromised during the security breach, since it uses a system of Zero Knowledgewhich prevents your system from storing login credentials, so your customers don’t need to take preventative action.
The investigation carried out by LastPass, as detailed in the publication, identified that the cybercriminals entered through a developer account that was compromised and that their products and services “continue to function normally.”
As indicated in the company’s statement, they took security measures in LastPass systems and the incident is in a state of containment. In addition, he stated that, in response to the incident, “a leading cybersecurity and forensic analysis company has been hired.”
Bloomberg indicated that Allan Liska, an analyst with the computer security incident response team at the cybersecurity companyRecorded Future, stated that they are surprised by the time it took for LastPass to inform their customers about the incident.
“To some, two weeks may seem like a long time, incident response teams may take time to fully assess the situation before reporting it,” he told the US outlet. He also added that the extent of the damage produced by the cyber attack It will take time to determine, but it doesn’t seem to have affected LastPass users.
For now, the affected company indicated that it will keep its clients informed regarding this incident.
How password managers work
Password managers are secure key managers for different accounts or websites that require access credentials to enter user accounts or profiles. In this way, people can spend more time browsing the internet.
Although browsers, such as Chrome, already offer options related to password management, external services have additional options, such as the random password creation automatically, alerts of unreliable keys or that were leaked by someone on the internet.
During the first user registration and password on a web page, the password manager saves that information so that, at the next opportunity, the data is auto-completed. In this way the user does not have to write them again.
The generation of keys is different for each of the user’s accounts and it is possible that, in some cases, the password managers offer a service of data storage such as personal documents (DNI, passport, driver’s license, etc.).
In some cases, the master password is stored locally or on an encrypted server so that if there is a vulnerability, or a computer attack addressed to the manager, user information is not compromised.
To keep the accesses to the different accounts secured, it is recommended change the key of users on a regular basis, in addition to using various levels of authentication to prevent unauthorized access from other devices remotely.