UPDATED 13:20 EST / AUGUST 26 2022

SECURITY

LastPass source code stolen by hackers in security breach

An intruder breached the internal systems of the cloud-based password manager LastPass and stole internal documents as well as the source code for the service, the company revealed in a statement on Thursday.

“Two weeks ago, we detected some unusual activity within portions of the LastPass development environment,” said Karim Toubba, chief executive of LastPass. “After initiating an immediate investigation, we have seen no evidence that this incident involved any access to customer data or encrypted password vaults.”

An unknown attacker broke into a single developer account and gained limited access to the company’s source code, Toubba said. From there the individual also stole blueprints for proprietary technical information as well.

LastPass is one of the largest password management services available for users and is said to support more than 30 million users and 85,000 businesses. A significant portion of its revenue comes from businesses that pay for its services to support millions of internet users who subscribe to the service for free.

The service allows users to generate random passwords and secures them online in encrypted password vaults that are protected by a single master password. The technology that allows it to do this is what is called a “zero knowledge security” model, password data can be unencrypted only with the user’s master password. That means even LastPass is unaware of the password data stored on its own system.

Toubba explained that users’ master passwords were not affected, nor were the encrypted password vaults. The entire incident occurred in the LastPass development environment. “In response to the incident, we have deployed containment and mitigation measures, and engaged a leading cybersecurity and forensics firm,” Toubba said.

The company said the team has since completely contained the breach and implemented additional security. The attack began and ended two weeks ago and with the enhanced security there have been no further incidents, Toubba added.

This is not the first time that LastPass has been hacked. In 2015, the company suffered a security breach where attackers stole user email addresses, password reminders and authentication hashes. Although the company said at the time that master passwords were not affected, it asked customers to reset their passwords.

Image: Unsplash

A message from John Furrier, co-founder of SiliconANGLE:

Show your support for our mission by joining our Cube Club and Cube Event Community of experts. Join the community that includes Amazon Web Services and Amazon.com CEO Andy Jassy, Dell Technologies founder and CEO Michael Dell, Intel CEO Pat Gelsinger and many more luminaries and experts.

Join Our Community 

Click here to join the free and open Startup Showcase event.

“TheCUBE is part of re:Invent, you know, you guys really are a part of the event and we really appreciate your coming here and I know people appreciate the content you create as well” – Andy Jassy

We really want to hear from you, and we’re looking forward to seeing you at the event and in theCUBE Club.

Click here to join the free and open Startup Showcase event.