Password management firm LastPass was hacked two weeks ago, enabling threat actors to steal the company’s source code and proprietary technical information.
The disclosure comes after BleepingComputer learned of the breach from insiders last week and reached out to the company on August 21st without receiving a response to our questions.
Sources told BleepingComputer that employees were scrambling to contain the attack after LastPass was breached.
After sending questions about the attack, LastPass released a security advisory today confirming that it was breached through a compromised developer account that hackers used to access the company’s developer environment.
While LastPass says there is no evidence that customer data or encrypted password vaults were compromised, the threat actors did steal portions of their source code and “proprietary LastPass technical information.”
“In response to the incident, we have deployed containment and mitigation measures, and engaged a leading cybersecurity and forensics firm,” explains the LastPass advisory.
“While our investigation is ongoing, we have achieved a state of containment, implemented additional enhanced security measures, and see no further evidence of unauthorized activity.”
LastPass has not provided further details regarding the attack, how the threat actors compromised the developer account, and what source code was stolen.
The full security advisory emailed to LastPass customers can be read below.
LastPass is one of the largest password management companies in the world, claiming to be used by over 33 million people and 100,000 businesses.
As consumers and businesses use the company’s software to store their passwords securely, there are always concerns that if the company was hacked it could allow threat actors access to stored passwords.
However, LastPass stores passwords in ‘encrypted vaults’ that can only be decrypted using a customer’s master password, which LastPass says was not compromised in this cyberattack.
Last year, LastPass suffered a credential stuffing attack that allowed threat actors to confirm a user’s master password. It was also revealed that LastPass master passwords were stolen by threat actors distributing the RedLine password-stealing malware.
Due to this, it is vital to enable multi-factor authentication on your LastPass accounts so that threat actors won’t be able to access your account even if your password is compromised.
BleepingComputer has once again reached out with further questions about the attack.
This is a developing story.