Sign Up
All SecurityCyber-crimePatchesResearchCSO
All Off-PremEdge + IoTChannelPaaS + IaaSSaaS
All On-PremSystemsStorageNetworksHPCPersonal TechCxOPublic Sector
All SoftwareAI + MLApplicationsDatabasesDevOpsOSesVirtualization
All OffbeatDebatesColumnistsScienceGeek's GuideBOFHLegalBootnotesSite NewsAbout Us

Security

LastPass source code, blueprints stolen by intruder

Your passwords are still safe, biz says

Chris Williams Thu 25 Aug 2022  //  21:02 UTC

Internal source code and documents have been stolen from LastPass by a cyber-thief.

The password manager maker said on Thursday that someone broke into one of its developer's accounts, and used that to gain access to proprietary data.

The biz, a big beast in the security world and based in Massachusetts, insisted that its users' passwords were still safe, adding that the theft took place about two weeks ago. GoTo-owned LastPass is said to have more than 25 million users and 80,000 business customers.

"We have determined that an unauthorized party gained access to portions of the LastPass development environment through a single compromised developer account and took portions of source code and some proprietary LastPass technical information," CEO Karim Toubba said in a statement.

"Our products and services are operating normally."

Toubba added:

After initiating an immediate investigation, we have seen no evidence that this incident involved any access to customer data or encrypted password vaults.

The break-in became apparent, we're told, after "some unusual activity" was detected in the development area of LastPass's computer network. The software house said it had contained the security breach, taken steps to prevent it happening again, and contacted outside infosec experts for help.

We can't believe people use browsers to manage their passwords, says maker of password management tools

READ MORE

The chief exec said his outfit may take further steps to shore up its network defenses.

LastPass offers a software vault that stores your username and password pairs for logging into websites, saving you from having to memorize lots of long complex strings: you can create unique and tough to crack passwords for each site account and have them saved in your vault. A master passphrase is needed to unlock and use these credentials. All you have to do is create and remember that secret phrase.

We're told that these master passwords are still safe, and haven't been compromised or accessed by the intruder, and the contents of people's vaults are also untouched. For one thing, LastPass doesn't know or keep a copy of your master password: that's for you to memorize and protect.

Sit back and relax is the message. "Our investigation has shown no evidence of any unauthorized access to customer data in our production environment," LastPass added in a statement. "At this time, we don't recommend any action on behalf of our users or administrators."

That said, LastPass has not been blunder free over the years. In 2019, it fixed a bug websites could exploit to steal passwords for accounts on other sites, it had a serious password-leaking flaw in its code in 2017, and so on. ®
Send us news
46 Comments

Official: EU users can swerve App Store and download iOS apps from the web

Anticompetitive remedies? We've heard of them

Japan to draw up routes for roads dedicated to robot trucks

Digital reform conference sees PM repeat calls to get online government services right at last

OpenAI's GPT-4 can exploit real vulnerabilities by reading security advisories

While some other LLMs appear to flat-out suck

YouTube now sabotages ad-blocking apps that stream its vids

EFF lambastes latest 'lazy and deliberately malicious move'

Torvalds intentionally complicates his use of indentation in Linux Kconfig

Paramount penguin forces more robust whitespace handling

CISA in a flap as Chirp smart door locks can be trivially unlocked remotely

Hard-coded credentials last thing you want in home security app

Malicious xz backdoor reveals fragility of open source

This time, we got lucky. It mostly affected bleeding-edge distros. But that's not a defense strategy

PumpkinOS carves out a FOSS PalmOS-compatible runtime environment

And rePalm may yet bring real PalmOS to new hardware … even the Raspberry Pi

Apple's failure to duck UK antitrust probe could bring £785M windfall for devs

That 30% app tax may turn out to be a hefty liability

What can be done to protect open source devs from next xz backdoor drama?

What happened, how it was found, and what your vultures have made of it all

Taiwan quake to hit chipmakers' capex, not chip supply

Some equipment suffered minor damage, but the silicon show must go on

How this open source LLM chatbot runner hit the gas on x86, Arm CPUs

Way to whip that LLaMA's ass