LastPass, a major password management provider, has acknowledged some of its source code was recently stolen after one of its developer accounts was hacked.
Some proprietary information was also stolen, the company said Thursday. “After initiating an immediate investigation, we have seen no evidence that this incident involved any access to customer data or encrypted password vaults,” it added.
The Bleeping Computer news service said the statement came after it asked the company for comment on Sunday, when insiders tipped it off.
“Two weeks ago we detected some unusual activity within portions of the LastPass development environment,” the Boston-based company said in its statement.
“We have determined that an unauthorized party gained access to portions of the LastPass development environment through a single compromised developer account and took portions of source code and some proprietary LastPass technical information. Our products and services are operating normally.
“In response to the incident, we have deployed containment and mitigation measures and engaged a leading cybersecurity and forensics firm. While our investigation is ongoing, we have achieved a state of containment, implemented additional enhanced security measures, and see no further evidence of unauthorized activity. “
It hasn’t explained how the staffer’s account was compromised.
In an FAQ accompanying Thursday’s statement, the company said the incident didn’t compromise customers’ master passwords or their data vaults. At this time, LastPass said, neither users nor administrators have to take any action to secure their accounts.
The company says it has 100,000 business customers, as well as individual users. Combined it counts 33 million registered users, with “the significant majority” represented by corporate customers.
LastPass is in the process of being spun off by its parent company, GoTo (formerly LogMein). In April, LastPass named Karim Toubba as its new CEO. In May it added a chief secure technology officer.
It’s the second major cyber incident to have hit LastPass in the last eight months. In December, Bleeping Computer reported that some LastPass customers were alerted after attempts were made to access their password manager with a master password. At the time, a LogMein official said a threat actor likely was trying to access user accounts with email addresses and passwords obtained from third-party data breaches.