LastPass stores passwords for over 33 million people around the world. On August 25th, they revealed that they had been hacked.
Through a statement, their CEO Karim Toubba said:
"I want to inform you of a development that we feel is important for us to share with our LastPass business and consumer community.
Two weeks ago, we detected some unusual activity within portions of the LastPass development environment. After initiating an immediate investigation, we have seen no evidence that this incident involved any access to customer data or encrypted password vaults."
What businesses need to know about the LastPass breach
Crucially, no passwords appear to have been compromised during this attack. This includes users' master passwords. For this reason, it doesn't appear that businesses need to enforce password changes.
In an FAQ released alongside the above statement, LastPass confirmed:
"At this time, we don’t recommend any action on behalf of our users or administrators."
"This incident did not compromise your Master Password. We never store or have knowledge of your Master Password. We utilize an industry standard Zero Knowledge architecture that ensures LastPass can never know or gain access to our customers’ Master Password"
What we can learn from this attack
Despite the obvious concerns sparked by any successful breach, LastPass's customers (including businesses) will be reassured that their approach to zero-knowledge security means that the potential risk in this case remained minimal.
A Darkbeam Analyst explains:
"This speaks to the power of zero-knowledge security. Your third parties will always add some risk to your system. However, the ability supply users with their information without having that information themselves is a great mitigation. If only the zero-knowledge model was usable and used by all third parties, the supply chain would be far more secure."
Security teams can point to this incident as an example of highly developed security practices preventing sensitive information from being accessed in an attack.
For information and ongoing support around third-party cyber risk management and actionable threat intelligence, businesses are invited to contact Darkbeam using the form below: