Skip to main content

Hackers stole LastPass source code in data breach incident

Today, LastPass confirmed a data breach in a blog post describing the incident to its customers that rely on the company’s products for online security. The company emphasized that customer data was not stolen in the breach, however, and that users do not have to do anything to secure their data.

In a post written by CEO Karim Toubba, LastPass stated the following:

Related Videos

“Two weeks ago, we detected some unusual activity within portions of the LastPass development environment. After initiating an immediate investigation, we have seen no evidence that this incident involved any access to customer data or encrypted password vaults.”

The breach occurred through a compromised developer’s account, and the unauthorized party made off with portions of the company’s source code and proprietary LastPass technical information.

We recently detected unusual activity within portions of the LastPass development environment and have initiated an investigation and deployed containment measures. We have no evidence that this involved any access to customer data. More info: https://t.co/cV8atRsv6d pic.twitter.com/HtPLvK0uEC

— LastPass (@LastPass) August 25, 2022

Toubba emphasized that user information was safe and that the unauthorized party did not compromise any passwords or access user vaults.

While it’s comforting to know that no data was stolen at this time, the stolen source code and proprietary information could be a significant issue and contribute to later breach attempts. LastPass seems to be aware of this possibility, as Toubba adds later that the company has hired a “leading cybersecurity and forensics firm.”

This is the second data issue LastPass has experienced in the last year. In December, some LastPass users were subjected to a “credential stuffing attack” by hackers attempting to access personal vaults. According to the company, no one’s accounts were compromised in the attack.

LastPass says it will update customers as the company learns more about what happened.

The breach a few weeks ago occurred in the development environment, so no consumer’s passwords were at risk. User passwords are hidden in encrypted vaults that can only be accessed by the user’s master password. LastPass is largely considered one of the best password managers around.

Editors' Recommendations

LastPass will make it easier and safer for families to share login credentials
LastPass

One of the most crucial components of staying safe online is making sure that your account passwords don't fall into the wrong hands. LastPass makes it easy for users to keep track of passwords for various different sites and services, and now it's adding functionality that will facilitate sharing credentials with others.

Obviously, it's generally not a good idea to let too many people know what your password is for any important account. However, it's more and more common that a few different users might share one login -- especially when it comes to subscription services like Netflix and Spotify -- so the new family sharing functionality set to be offered by LastPass will no doubt come in handy for many.

Read more
Latest bugs in LastPass allowed attackers to steal passwords
A hand on a laptop in a dark surrounding.

Password manager LastPass is patching a number of critical vulnerabilities in its software that left users’ passwords potentially leaking.

No software is ever totally safe and while password managers can offer a degree of security and convenience, they are not impervious as these security flaws demonstrate.

Read more
1Password bets $100,000 that security experts can't break into its systems
1password bug bounty 100k teamspresskitadminpanel

AgileBits, the developer behind 1Password, just upped the ante for bug hunters, putting up $100,000 for anyone who can break into a 1Password vault and obtain a plain text file full of “bad poetry.”

Previously, the “capture the flag” bug bounty was a mere $25,000, but in order to push security researchers to find vulnerabilities in the 1Password platform -- and to demonstrate its effectiveness -- AgileBits raised the bounty fourfold.

Read more