(Aug 26): LastPass, a password manager used by more than 33 million people worldwide, said a hacker recently stole source code and proprietary information after breaking into its systems.
The company does not believe any passwords were taken as part of the breach and users should not have to take steps to protect their accounts, according to a blog post on Thursday (Aug 25).
An investigation determined that an “unauthorized party” accessed their development environment, which is the software used by employees to build and maintain the LastPass product. The perpetrators were able to gain access through a single compromised developer account, the company said.
We recently detected unusual activity within parts of the LastPass development environment and have initiated an investigation and deployed containment measures. We have no evidence that this involved any access to customer data. More information: https://t.co/cV8atRsv6d pic.twitter.com/HtPLvK0uEC
— LastPass (@LastPass) August 25, 2022
The attack hit a company that generates and stores hard-to-crack, auto-generated passwords for multiple accounts, such as Netflix or Gmail, on behalf of its users, without requiring them to manually enter credentials. LastPass lists Patagonia, Yelp Inc, and State Farm as clients on its website.
Cybersecurity website Bleeping Computer reported that it asked LastPass about the breach two weeks ago.
Allan Liska, an analyst with the Computer Security Incident Response Team at cybersecurity firm Recorded Future, said he was impressed with LastPass’ “quick notification.”
“While two weeks may seem like a long time to some, it can take a while for incident response teams to fully assess and report on a situation,” he said. “It will take time to fully determine the extent of any harm that may have been as a result of the breach. However, for now it does not seem to have an impact on the client.”
LastPass did not immediately respond to a request for further comment.
There was speculation on social media that hackers could access password vault keys after stealing source code and proprietary information.
“Stolen source code is unlikely to give criminals access to customer passwords,” Liska said.