前不久 Twilio 刚遇到员工钓鱼被入侵，甚至影响到 Signal。

没过多久惨剧又降临到 LastPass 身上。

LastPass 的官方博客发布新文章表示，近期他们的一个开发者账号遭到入侵，攻击者访问了开发环境和部分源代码，但不涉及线上的用户数据。目前公告没有提到开发者账号是如何被黑的。

作为吃瓜群众不负责任的推测，这两起事件可能存在联系。

全文和（机器翻译）如下：

Notice of Recent Security Incident

https://blog.lastpass.com/2022/08/notice-of-recent-security-incident/

To All LastPass Customers,  

致所有 LastPass 的客户们，

I want to inform you of a development that we feel is important for us to share with our LastPass business and consumer community.  

在此告知大家一件非常重要的，关系到顾客社区的事件的进展。

Two weeks ago, we detected some unusual activity within portions of the LastPass development environment. After initiating an immediate investigation, we have seen no evidence that this incident involved any access to customer data or encrypted password vaults.  

两周前，我们在 LastPass 开发环境的某些部分中检测到了一些异常活动。在立即展开调查后，我们没有看到任何证据表明此事件涉及对客户数据或加密密码库的任何访问。

We have determined that an unauthorized party gained access to portions of the LastPass development environment through a single compromised developer account and took portions of source code and some proprietary LastPass technical information. Our products and services are operating normally. 

我们已经确认，有未经授权的一方通过一个被入侵的开发者帐户，获得了对 LastPass 开发环境的部分访问权限，并获取了部分源代码和一些专有的 LastPass 技术信息。我们的产品和服务正常运行。

In response to the incident, we have deployed containment and mitigation measures, and engaged a leading cybersecurity and forensics firm. While our investigation is ongoing, we have achieved a state of containment, implemented additional enhanced security measures, and see no further evidence of unauthorized activity.  

为了应对这一事件，我们部署了遏制和缓解措施，并聘请了一家领先的网络安全和取证公司。虽然我们的调查仍在进行中，但已经遏制了攻击，实施了额外的强化安全措施，并且没有看到任何更进一步的未经授权的活动的迹象。

Based on what we have learned and implemented, we are evaluating further mitigation techniques to strengthen our environment. We have included a brief FAQ below of what we anticipate will be the most pressing initial questions and concerns from you. We will continue to update you with the transparency you deserve.  

基于我们已经掌握和实现的，我们正在评估进一步的缓解技术以加固我们的环境。我们在下面提供了一个简短的常见问题解答，包含了我们预计您最紧迫的初步问题和疑虑。我们将继续保持透明度更新。

Thank you for your patience, understanding and support.  

非常感谢您的耐心、理解和支持。

Karim Toubba 

CEO LastPass 

FAQs 

常见问题解答

1. Has my Master password or the Master Password of my users been compromised?  

我的主密码或我的用户的主密是否已被泄露？

No. This incident did not compromise your Master Password. We never store or have knowledge of  your Master Password. We utilize an industry standard Zero Knowledge architecture that ensures LastPass can never know or gain access to our customers’ Master Password. You can read about the technical implementation of Zero Knowledge here. 

不会。此事件并未泄露您的主密码。我们从不存储或知道您的主密码。我们采用行业标准的零知识架构，确保 LastPass 永远不会知道或访问我们客户的主密码。您可以阅读有关零知识的技术实施文档（微信不能插链接，请移步原文查看）。

2. Has any data within my vault or my users’ vaults been compromised?  

我的保险箱或我的用户的保险箱中的数据是否已被泄露？

No. This incident occurred in our development environment. Our investigation has shown no evidence of any unauthorized access to encrypted vault data.  Our zero knowledge model ensures that only the customer has access to decrypt vault data. 

没有。这个事件仅仅发生在我们的开发环境中。我们的调查没有显示任何未经授权访问加密保险箱数据的迹象。我们的零知识模型确保只有客户有权解密保险箱中的数据。

3. Has any of my personal information or the personal information of my users been compromised? 

我的个人信息或我的用户的个人信息有没有被泄露？

No. Our investigation has shown no evidence of any unauthorized access to customer data in our production environment.  

没有。我们的调查显示，没有迹象表明在我们在生产环境中对客户数据进行过任何未授权的访问。

4. What should I do to protect myself and my vault data? 

我应该如何保护我自己和保险箱中的数据？

At this time, we don’t recommend any action on behalf of our users or administrators. As always, we recommend that you follow our best practices around setup and configuration of LastPass which can be found here. 

目前，我们不建议我们的用户或管理员做任何操作。与往常一样，我们建议您遵循我们关于设置和配置 LastPass 的最佳实践。

5. How can I get more information? 

我如何才能获得更多信息？

We will continue to update our customers with the transparency they deserve.  

我们将持续更新事件进展，保持用户透明度。

后续以 LastPass 官方公布的情况为准。