LastPass, a password manager that is used by over 33 million people worldwide, has revealed that a hacker stole its source code and proprietary information.
According to a blog post published on Thursday, the company does not believe passwords were stolen in connection with the breach. Users shouldn’t be required to take any action to protect their accounts.
We recently detected unusual activity within portions of the LastPass development environment and have initiated an investigation and deployed containment measures. We have no evidence that this involved any access to customer data. More info: https://t.co/cV8atRsv6d pic.twitter.com/HtPLvK0uEC
— LastPass (@LastPass) August 25, 2022
An investigation revealed that an “unauthorized person” had gained access to LastPass’s developer environment. This is the software used by employees to create and maintain LastPass’s products. According to the company, the perpetrators gained access via a single compromised developer account.
This attack targeted a company that automatically generates passwords for multiple accounts such as Netflix and Gmail. Users don’t have to enter these passwords manually. LastPass lists State Farm, Yelp Inc., and Patagonia as customers on their website.
Bleeping Computer reported it had asked LastPass about this breach two weeks prior.
Allan Liska, an analyst at Recorded Future’s Computer Security Incident Response Team, stated that he was impressed by the LastPass “speedy notification”.
He said that although two weeks may seem long, incident response teams can take time to assess and report on the situation. It will take some time to determine the extent of any damages that might have occurred as a result of the breach. It does not appear to have any client-impacting effects.
LastPass did not immediately respond to a request to provide further information.
Social media rumours suggested that hackers could gain access to password vault keys by stealing source code or proprietary information.
Liska stated that it is unlikely that the stolen source codes will allow criminals to access customer passwords.
