LastPass Suffers ‘Security Incident’, Says No Passwords Stolen but Some Source Code Was

LastPass, a popular password management service used by many to achieve cybersecurity nirvana, has confirmed some of its internal source code has been stolen in a ‘security incident’.

Before we get into what happened, LastPass assures users of its service that no ‘master passwords’ have been compromised, because they “never store or have knowledge of your master password”. Vault data, it said, is also safe.

In a blog post announcing the security incident, LastPass said two weeks ago, it detected some “unusual activity” within portions of its development environment.

“After initiating an immediate investigation, we have seen no evidence that this incident involved any access to customer data or encrypted password vaults,” it said.

The company has determined, however, that an unauthorised party gained access to portions of the LastPass development environment through a single compromised developer account and took portions of source code and some proprietary LastPass technical information.

LastPass said that in response to the incident, it has deployed containment and mitigation measures, and engaged an external cybersecurity and forensics firm to help with analysis.

“While our investigation is ongoing, we have achieved a state of containment, implemented additional enhanced security measures, and see no further evidence of unauthorised activity,” the blog continued.

As touched on above, LastPass said no master passwords have been compromised, nor has any vault data stored by users or customer data for that matter.

LastPass is so confident that no users are impacted by the breach that it’s suggesting that its users do nothing.

“At this time, we don’t recommend any action on behalf of our users or administrators. As always, we recommend that you follow our best practices around setup and configuration of LastPass,” LastPass wrote.

It also noted that its products and services are operating normally.

Password managers — which are handy tools to store all your web credentials in one centralised, supposedly secure, location — have been known to have serious security vulnerabilities, the likes of which could hypothetically lead to hacking incidents. LastPass has had its fair share of these issues. If you cast your mind back to December, LastPass users were receiving emails from the company warning them of suspicious login attempts that were utilising their master password.

Obviously this recent incident is not related to that, but a little bit of history never hurt anyone, especially when you’re trusting a third-party with protecting your personal information.