LastPass, which is a popular password manager used by over 33 million people around the world, reported that it was recently attacked by hackers who stole parts of its source code and proprietary technical information after breaking into its systems. LastPass, however, stated that no passwords were taken as part of the security breach incident. It did not recommend users and administrators take action. They just need to follow best practices around the setup and configuration of LastPass, said the company.
“We have determined that an unauthorized party gained access to portions of the LastPass development environment through a single compromised developer account and took portions of source code and some proprietary LastPass technical information. Our products and services are operating normally,” said Karim Toubba, CEO of LastPass in his blog post.
LastPass was able to detect some unusual activity within portions of the LastPass development environment two weeks back. However, investigations showed no evidence that this incident involved hackers getting access to customer data or encrypted password vaults.
Following the security incident, LastPass deployed containment and mitigation measures and engaged leading cybersecurity and forensics firm. While the investigation is in progress, LastPass’s CEO mentioned that they were able to contain the incident and have implemented additional enhanced security measures. There was no further evidence of unauthorized activity.
LastPass has assured its customers that the security incident did not compromise their Master Password. “We never store or have knowledge of your Master Password. We utilize an industry standard Zero Knowledge architecture that ensures LastPass can never know or gain access to our customers’ Master Password.” – said LastPass in the FAQ section it opened for its customers.