The company states that user data remains secure and it continues to investigate the incident. Credit: Hernan4429 / Getty Images LastPass, maker of a popular password management application, revealed Thursday that an unauthorized party gained access to its development environment through a compromised developer account and stole some source code and proprietary technical information. An initial probe of the incident has revealed no evidence that customer data or encrypted password vaults were accessed by the intruder, CEO Karim Toubba stated in a company blog post.Toubba explained that the master passwords of the company’s users are protected by a zero-knowledge architecture, which prevents LastPass from knowing or accessing those passwords.“Our products and services are operating normally,” adds LastPass spokesperson Nikolett Bacso Albaum. “In response [to the incident], we immediately initiated an investigation, deployed containment and mitigation measures, and engaged a leading cybersecurity and forensics firm.”“While our investigation is ongoing,” she continues, “we have achieved a state of containment, implemented additional enhanced security measures, and see no further evidence of unauthorized activity.” Password managers an attractive targetWhile the motive of the people responsible for this LastPass incident is unknown, password managers are a challenging but attractive target for threat actors, observes Melissa Bischoping, an endpoint security research specialist with Tanium, an endpoint management and security company. “They unlock—quite literally—a treasure trove of access to hundreds of thousands of accounts and sensitive customer data in an instant, if they are breached,” she says.Also unknown is how the developer account was compromised. Presumably, LastPass had proper authentication controls in place, but sometimes “even strong authentication solutions are not enough for various reasons,” says Rajiv Pimplaskar, CEO of Dispersive Holdings, a secure access service edge provider. LastPass able to contain the damageTaylor Ellis, customer threat analyst at Horizon3.ai, an automated penetration testing as a service company, praises LastPass for the way it has handled the incident. “Whenever a breach occurs, many organizations fail to isolate the incident quickly, or they struggle with how to guide a proper security investigation,” she explains. “As an experienced security company, LastPass at least had the home team advantage by following the correct procedures, isolating the issue on time, and preventing their customers from being severely impacted by the breach.” Related content news Okta launches Cybersecurity Workforce Development Initiative New philanthropic and educational grants aim to advance inclusive pathways into cybersecurity and technology careers. By Michael Hill Oct 04, 2023 3 mins IT Skills IT Skills IT Skills news New critical AI vulnerabilities in TorchServe put thousands of AI models at risk The vulnerabilities can completely compromise the AI infrastructure of the world’s biggest businesses, Oligo Security said. By Shweta Sharma Oct 04, 2023 4 mins Vulnerabilities news ChatGPT “not a reliable” tool for detecting vulnerabilities in developed code NCC Group report claims machine learning models show strong promise in detecting novel zero-day attacks. By Michael Hill Oct 04, 2023 3 mins DevSecOps Generative AI Vulnerabilities news Google Chrome zero-day jumps onto CISA's known vulnerability list A serious security flaw in Google Chrome, which was discovered under active exploitation in the wild, is a new addition to the Cybersecurity and Infrastructure Agency’s Known Exploited vulnerabilities catalog. By Jon Gold Oct 03, 2023 3 mins Zero-day vulnerability Podcasts Videos Resources Events SUBSCRIBE TO OUR NEWSLETTER From our editors straight to your inbox Get started by entering your email address below. Please enter a valid email address Subscribe