LastPass hacked, source code stolen

LastPass, a major password management provider, has acknowledged some of its source code was recently stolen after one of its developer accounts was hacked.

Some proprietary information was also stolen, the company said Thursday. “After initiating an immediate investigation, we have seen no evidence that this incident involved any access to customer data or encrypted password vaults,” it added.

The Bleeping Computer news service said the statement came after it asked the company for comment on Sunday, when insiders tipped it off.

“Two weeks ago we detected some unusual activity within portions of the LastPass development environment,” the Boston-based company said in its statement.

“We have determined that an unauthorized party gained access to portions of the LastPass development environment through a single compromised developer account and took portions of source code and some proprietary LastPass technical information. Our products and services are operating normally. 

“In response to the incident, we have deployed containment and mitigation measures and engaged a leading cybersecurity and forensics firm. While our investigation is ongoing, we have achieved a state of containment, implemented additional enhanced security measures, and see no further evidence of unauthorized activity. “

It hasn’t explained how the staffer’s account was compromised.

In an FAQ accompanying Thursday’s statement, the company said the incident didn’t compromise customers’ master passwords or their data vaults. At this time, LastPass said, neither users nor administrators have to take any action to secure their accounts.

The company says it has 100,000 business customers, as well as individual users. Combined it counts 33 million registered users, with “the significant majority” represented by corporate customers.

LastPass is in the process of being spun off by its parent company, GoTo (formerly LogMein). In April, LastPass named Karim Toubba as its new CEO. In May it added a chief secure technology officer.

It’s the second major cyber incident to have hit LastPass in the last eight months. In December, Bleeping Computer reported that some LastPass customers were alerted after attempts were made to access their password manager with a master password. At the time, a LogMein official said a threat actor likely was trying to access user accounts with email addresses and passwords obtained from third-party data breaches.

Would you recommend this article?

Share

Thanks for taking the time to let us know what you think of this article!
We'd love to hear your opinion about this or any other story you read in our publication.


Jim Love, Chief Content Officer, IT World Canada

Featured Download

Howard Solomon
Howard Solomon
Currently a freelance writer, I'm the former editor of ITWorldCanada.com and Computing Canada. An IT journalist since 1997, I've written for several of ITWC's sister publications including ITBusiness.ca and Computer Dealer News. Before that I was a staff reporter at the Calgary Herald and the Brampton (Ont.) Daily Times. I can be reached at hsolomon [@] soloreporter.com

Related Tech News

Our experienced team of journalists and bloggers bring you engaging in-depth interviews, videos and content targeted to IT professionals and line-of-business executives.