One of the world’s leading password managers, LastPass, announced Thursday that cybercriminals broke into one of the company’s staff accounts two weeks ago — stealing portions of the company’s source code and other technical information.
LastPass has confirmed that there is no evidence of user personal information (PII) compromise at the moment, while the investigation is ongoing.
‘We Detected Some Unusual Activity’
LastPass, which caters to 33 million customers worldwide, said in its official blog post on Thursday, Aug. 25, that snippets of source code — vital instructions that software operates on — and some of LastPass’s proprietary technical information were stolen by an “unauthorized party.”
According to CEO Karim Toubba, unknown actors managed to break into one of LastPass’s software developer staff accounts, which helped them quietly steal the required data. As a result, some sources say users began panicking while employees rushed to contain the breach.
Investigation Is Ongoing
LastPass has not publicly commented on the incident except via official information in the blog post and social media. On the company’s official Twitter feed, some premium users were outraged saying that the company has been an “inconsistent, unreliable service,” for quite some time. Others said they did not notice anything suspicious.
LastPass said that the investigation is ongoing and that all cybersecurity and forensics measures have been applied. The company said it has “achieved a state of containment, implemented additional enhanced security measures,” and sees no further cause for concern for users.
Master passwords, vault data, and personal information have not been compromised, the company said. “At this time, we don’t recommend any action on behalf of our users or administrators.” In addition, LastPass recommends users follow security and configuration best practices.
Not the First Time
This is not the first time the widely used password manager has suffered a cybersecurity incident. Seven embedded trackers were discovered in the LastPass Android app in February last year. In December 2021, users noticed multiple unauthorized attempted logins with their LastPass master passwords — which unlocks the app itself and reveals stored passwords.
LastPass used to lead the pack in both our best free password managers and best password managers overall overviews. Unfortunately, the app’s ranking has been overtaken by other picks over time. You can check out the full reviews for some of our top password managers below:
Ensuring top-notch cyber hygiene is essential for the security of your devices and your private data. This means creating a secure password the right way for all accounts and devices. It is also vital to enable multi-factor authentication in sensitive applications such as password manager apps.