A cyber thief stole LastPass internal source code and documents.
The maker of the password manager said Thursday that someone broke into one of its developer accounts and used it to gain access to proprietary data.
The Massachusetts-based business, a big beast in the security world, insisted its users’ passwords were still safe, adding that the theft happened about two weeks ago. GoTo-owned LastPass is said to have more than 25 million users and 80,000 business customers.
“We have determined that an unauthorized party gained access to portions of the LastPass development environment through a single compromised developer account and took portions of LastPass source code and certain proprietary technical information,” CEO Karim Toubba said in a statement. .
“Our products and services are operating as normal.”
The theft became apparent, we are told, after “some unusual activity” was detected in the development area of LastPass’ computer network. The software house said it had contained the security breach, took steps to prevent it from happening again, and contacted outside information security experts for help.
We can’t believe people use browsers to manage their passwords, says password management tool maker
The CEO said his team can take more steps to bolster its network defenses.
LastPass offers a software vault that stores your username and password pairs to log in to websites, saving you from having to memorize many long and complex strings – you can create unique, hard-to-crack passwords for each account on the site and store them in your vault. A master passphrase is required to unlock and use these credentials. All you have to do is create and remember that secret phrase.
We are told that these master passwords are still secure and have not been compromised or accessed by the intruder, and the contents of people’s vaults have not been touched either. For one thing, LastPass doesn’t know or keep a copy of your Master Password—it’s for you to memorize and protect.
Sit back and relax is the message. “Our investigation has shown no evidence of any unauthorized access to customer data in our production environment,” LastPass added in a statement. “At this time, we do not recommend any action on behalf of our users or administrators.”
That said, LastPass hasn’t been without bugs over the years. In 2019, it fixed a bug that websites could exploit to steal account passwords on other sites, had a serious password leak flaw in its code in 2017, and so on. ®