LastPass breach: CEO says 'no evidence' of customer data being stolen

The LastPass logo on a smartphone lying next to some bluetooth earphones
(Image credit: Getty Images)

Password manager LastPass has revealed that a hacker was able to breach its development environment and steal some of its source code.

LastPass allows users to save passwords to multiple sites through its platform, and provides a browser extension to try and make it easier to enter websites without having to remember different passwords. To access the service, users only need to remember their master password.

The company detected some unusual activity within portions of the LastPass development environment two weeks ago, said Karim Toubba, CEO of LastPass, in a blog post on Thursday. He added that the company hasn’t seen any evidence that the incident involved any access to customer data or encrypted vaults.

The unauthorised party gained access to the development environment through a single compromised developer account and took portions of the source code and some proprietary technical information. The company’s products and services are operating normally, Toubba underlined.

In response to the incident, LastPass has deployed containment and mitigation measures and engaged a leading cyber security forensics firm. It’s also evaluating further mitigation techniques to strengthen its environment.

“While our investigation is ongoing, we have achieved a state of containment, implemented additional enhanced security measures, and see no further evidence of unauthorised activity,” said Toubba.

The company clarified that users’ master password hasn’t been compromised and also doesn’t recommend any action on behalf of users or administrators for now.

This isn’t the first time the company has been a victim of a hack. In 2011, the company told customers to change their passwords due to a possible security breach. It reported that it had experienced a network traffic anomaly from a non-critical machine, and concluded that this could have been an attack.

The team admitted that it didn’t have a lot of evidence which signalled an explicit problem, but said “where there’s smoke there could be fire”.

In 2019, the company patched a vulnerability which could have led to users exposing the password they previously used on the last site they visited. The flaw made the password manager susceptible to cyber criminals launching clickjacking attacks. It affected the company’s web extension when used on Google Chrome or Opera and was discovered by Google’s Project Zero team.

Zach Marzouk

Zach Marzouk is a former ITPro, CloudPro, and ChannelPro staff writer, covering topics like security, privacy, worker rights, and startups, primarily in the Asia Pacific and the US regions. Zach joined ITPro in 2017 where he was introduced to the world of B2B technology as a junior staff writer, before he returned to Argentina in 2018, working in communications and as a copywriter. In 2021, he made his way back to ITPro as a staff writer during the pandemic, before joining the world of freelance in 2022.