Skip links

LastPass source code, blueprints stolen by intruder

Internal source code and documents have been stolen from LastPass by a cyber-thief.

The password manager maker said on Thursday that someone broke into one of its developer’s accounts, and used that gained access to proprietary data.

The biz, a big beast in the security world and based in Massachusetts, insisted that its users’ passwords were still safe, adding that the theft took place about two weeks ago. LastPass is said to have more than 25 million users and 80,000 business customers.

“We have determined that an unauthorized party gained access to portions of the LastPass development environment through a single compromised developer account and took portions of source code and some proprietary LastPass technical information,” CEO Karim Toubba said in a statement.

“Our products and services are operating normally.”

Toubba added:

The break-in became apparent, we’re told, after “some unusual activity” was detected in the development area of LastPass’s computer network. The software house said it had contained the security breach, taken steps to prevent it happening again, and contacted outside infosec experts for help.


We can’t believe people use browsers to manage their passwords, says maker of password management tools


The chief exec said his outfit may take further steps to shore up its network defenses.

LastPass offers a software vault that stores your username and password pairs for logging into websites, saving you from having to memorize lots of long complex strings: you can create unique and tough to crack passwords for each site account and have them saved in your vault. A master passphrase is needed to unlock and use these credentials. All you have to do is remember that phrase.

We’re told that these master passwords are still safe, and haven’t been accessed, despite this month’s intrusion, and the contents of people’s vaults are also untouched. Instead, folks are told to sit tight and relax.

“Our investigation has shown no evidence of any unauthorized access to customer data in our production environment,” LastPass said in a statement. “At this time, we don’t recommend any action on behalf of our users or administrators.”

That said, LastPass has not been blunder free over the years. In 2019, it fixed a bug websites could exploit to steal passwords for accounts on other sites, it had a serious password-leaking flaw in its code in 2017, and so on. ®