LastPass Security Breach – Hackers Steal Company’s Source Code

World-leading password manager, LastPass, is the latest victim of a security breach. In an advisory, the company confirmed the stealing of its internal source code and technical documents. LastPass is owned by GoTo and boasts over 25 million users and serves around 80,000 businesses worldwide.

Incident Details

On 25 August 2022, LastPass’s CEO Karim Toubba confirmed that an unauthorized party stole some portions of its internal source code and proprietary technical information. The company revealed that an attacker broke into one of its developers’ accounts and gained access to proprietary data.

The company stressed on the breach occurred through a “single compromised developer account. It noted that all of its products and services are “operating normally,” and that the situation is under control. The breach took place around two weeks back.

How the Breach was Detected?

The break-in was detected after unusual activity was noticed in the LastPass computer network’s development area. The security breach was promptly contained and the company took necessary steps to prevent another intrusion from happening. 

According to LastPass’ blog post, the company also outsourced infosec experts to investigate the incident. An investigation was launched and it was later confirmed that the cybercrook couldn’t access customer data. Per LastPass CEO, the company will ramp up its network defenses.  

What About User Passwords?

For your information, LastPass provides a software vault where usernames and passwords are stored in pairs to allow users to log in to websites. This makes it tougher to crack passwords.

LastPass Security Breach - Hackers Steal Company's Source Code

After the breach, a lot of speculations emerged about the safety of passwords. The company addressed these concerns by explaining that master passwords are safe and weren’t compromised or accessed by the hacker. LastPass also added that vault contents also remained untouched.

LastPass noted that it doesn’t keep a copy of users’ master passwords as that’s for the user to memorize and protect. The Massachusetts-based company insisted that encrypted user passwords are safe due to the zero-knowledge architecture it has…