LastPass Confirmed Hackers Stole Some of its Source Code in Cyberattack

Published on: August 30, 2022

Popular password manager brand LastPass confirmed that it was targeted by threat actors in a cyberattack two weeks ago. According to the company, parts of its source code and proprietary technical information were stolen in the attack.

“Two weeks ago, we detected some unusual activity within portions of the LastPass development environment,” said LastPass CEO Karim Toubba in a security advisory on Thursday. “After initiating an immediate investigation, we have seen no evidence that this incident involved any access to customer data or encrypted password vaults.”

Once rumors of the attack started surfacing, LastPass confirmed it in the security advisory last week. The company also added that threat actors used a compromised developer account to break into its developer environment.

Although the hackers took parts of the company’s source code and “proprietary LastPass information,” LastPass said that the encrypted password vaults and customer data still showed no signs of being compromised.

However, the company did not disclose what parts of the source code were stolen and how exactly the attack took place.

“In response to the incident, we have deployed containment and mitigation measures, and engaged a leading cybersecurity and forensics firm,” added Touba in the security advisory. “While our investigation is ongoing, we have achieved a state of containment, implemented additional enhanced security measures, and see no further evidence of unauthorized activity.”

This is not the cyberattack that LastPass has been the target of over the past year. In Dec. 2021, LastPass users fell victim to credential stuffing attacks and were notified by the company that someone used their master passwords to try and access their accounts. However, LastPass made sure to block any login attempts that come from unrecognized devices or locations. Credential stuffing attacks are when threat actors use previously leaked username and password combinations to brute-force and gain unauthorized access to users’ accounts.