This article is more than 1 year old

LastPass source code, blueprints stolen by intruder

Your passwords are still safe, biz says

Internal source code and documents have been stolen from LastPass by a cyber-thief.

The password manager maker said on Thursday that someone broke into one of its developer's accounts, and used that to gain access to proprietary data.

The biz, a big beast in the security world and based in Massachusetts, insisted that its users' passwords were still safe, adding that the theft took place about two weeks ago. GoTo-owned LastPass is said to have more than 25 million users and 80,000 business customers.

"We have determined that an unauthorized party gained access to portions of the LastPass development environment through a single compromised developer account and took portions of source code and some proprietary LastPass technical information," CEO Karim Toubba said in a statement.

"Our products and services are operating normally."

Toubba added:

After initiating an immediate investigation, we have seen no evidence that this incident involved any access to customer data or encrypted password vaults.

The break-in became apparent, we're told, after "some unusual activity" was detected in the development area of LastPass's computer network. The software house said it had contained the security breach, taken steps to prevent it happening again, and contacted outside infosec experts for help.


We can't believe people use browsers to manage their passwords, says maker of password management tools


The chief exec said his outfit may take further steps to shore up its network defenses.

LastPass offers a software vault that stores your username and password pairs for logging into websites, saving you from having to memorize lots of long complex strings: you can create unique and tough to crack passwords for each site account and have them saved in your vault. A master passphrase is needed to unlock and use these credentials. All you have to do is create and remember that secret phrase.

We're told that these master passwords are still safe, and haven't been compromised or accessed by the intruder, and the contents of people's vaults are also untouched. For one thing, LastPass doesn't know or keep a copy of your master password: that's for you to memorize and protect.

Sit back and relax is the message. "Our investigation has shown no evidence of any unauthorized access to customer data in our production environment," LastPass added in a statement. "At this time, we don't recommend any action on behalf of our users or administrators."

That said, LastPass has not been blunder free over the years. In 2019, it fixed a bug websites could exploit to steal passwords for accounts on other sites, it had a serious password-leaking flaw in its code in 2017, and so on. ®

More about


Send us news

Other stories you might like