LastPass disclosed in August that a "unauthorized party" had gained access to its network. Concerned users may have been relieved to learn that their login credentials and other sensitive data were not compromised by the recent hack of the password manager.
LastPass CEO Karim Toubba recently updated the company's status on the incident, saying that the investigation conducted in conjunction with cybersecurity firm Mandiant has revealed that the bad actor had internal access to the company's systems for four days. Some of the password manager's source code and technical details were stolen, but they were only able to do so from the service's development environment, which is disconnected from customers' data and encrypted vaults. Toubba also noted that users' vaults are encrypted with master passwords, which LastPass does not have access to.
According to the CEO, there is "no evidence" that "any access to customer data or encrypted password vaults" was involved in this incident. They also didn't find any indication that the hacker had injected malicious code into the systems or that there had been any unauthorized access beyond those four days. Toubba said the attacker gained access to the service's network by exploiting a vulnerability in a developer's endpoint. Following the developer's "successful authentication using multi-factor authentication," the hacker posed as the developer.
In 2015, a security breach exposed users' email addresses, authentication hashes, password reminders, and other data stored in LastPass. Since the service is now expected to have over 33 million paying users, a similar breach would have far more severe consequences. LastPass isn't requiring any special precautions from its users in this instance, but it's still a good idea to use a strong password and enable two-factor authentication just in case.