LastPass Says Hackers Took ‘Portions Of Source Code’

Someone bypassed the security used by LastPass to secure users passwords to grab some of the company’s source code from its developer environment, but appeared to have not accessed customers’ passwords or personal data, company CEO Karim Toubba said in an online security incident report.

Password management technology developer LastPass Thursday said its development environment was breached, resulting in the theft of portions of its source code.

However, the Boston-based company, whose technology is used by 30 million users and 85,000 businesses worldwide, said that customer password information was not compromised.

LastPass develops password management offerings for personal and business users. With the LastPass technology, users create a strong master password which is encrypted via AES-256-bit encryption with PBKDF2 SHA-256. The technology also includes multi-factor authentication. That allows users to log on once a day to have access to all their password-protected applications without creating or having to remember individual passwords.

[Related: THE 2022 SECURITY 100]

The company said in an online security incident report that it detected unusual activity in its development environment a couple weeks ago, and after launching an investigation found that an unauthorized person was able to get some of its source code without compromising customers’ passwords.

“We have determined that an unauthorized party gained access to portions of the LastPass development environment through a single compromised developer account and took portions of source code and some proprietary LastPass technical information. Our products and services are operating normally,” wrote Karim Toubba, LastPass CEO and the author of the security incident report.

LastPass said it has deployed containment and mitigation measures and “engaged a leading cybersecurity and forensics firm.” The identification of that firm was not disclosed.

LastPass, when contacted by CRN via email for further information, responded with a statement that for the most part echoed the online security incident report. However, the response did add a bit more information. In particular, the company wrote in the email, “in line with the company’s culture of transparency, LastPass is in the process of contacting our customers about the incident.”

In the FAQ that accompanied the report, Toubba wrote that the incident did not compromise any master passwords, as they are hidden from the company via its zero knowledge architecture.

Toubba also wrote that there was no evidence that attack compromised users’ passwords, which are encrypted, or any user data. He also wrote that LastPass does not recommend any user action for now.

LastPass was acquired by the software company formerly known as LogMeIn, now know nass GoTo, for $110 Million in 2015. Last year, LogMeIn was established as a separate company.