This is a new alert that LastPass would have done well without. Karim Toubba, the managing director of the company, has just published a blog post to inform the public that a “unauthorized party” obtained access to certain customer information stored on a third-party cloud service shared between LastPass and GoTo, the company that oversees the service. The incident happened last August.
“Passwords remain securely encrypted”
At this time, LastPass does not specify what types of information was stolen, but the company says it is trying to “understand the scope of the incident and identify what specific information was accessed”.
In any case, Karim Toubba wants to be reassuring for users of the service: “Our customers’ passwords remain securely encrypted thanks to LastPass’ Zero Knowledge architecture. »
The leader adds: “In the meantime, we can confirm that LastPass products and services remain fully functional. (…) As part of our efforts, we continue to deploy enhanced security measures and monitoring capabilities across our infrastructure to help detect and prevent new activity by threat actors. »
In the meantime, and if you are concerned, LastPass invites you to go to the following page and follow the best security practices recommended by the service.
Either way, this information falls pretty badly for the password manager. Last September, LastPass was already the victim of a hack. An unauthorized person gained access to part of the service’s development environment using a developer’s compromised account. Enough to allow him to steal portions of the company’s proprietary code, and certain technical information.
At the time, Karim Toubba said: “This incident occurred in our development environment. Our investigation showed no evidence of unauthorized access to encrypted vault data. Our zero-knowledge model ensures that only the customer has access to decrypt the vault data.”
Towards the end of passwords?
Beyond the LastPass case, these cases raise the question of password security in general. The FIDO Alliance has already developed a new and much more secure authentication technique based on a system of private and public cryptographic keys.
This “passkey” will soon be applied by the Tech giants Google, Apple, and Microsoft. It remains to be seen whether the method will prove itself and convince the general public. If so, passwords will be a distant bad memory.