Password management giant LastPass has revealed details of a security incident earlier this month in which proprietary information was stolen by threat actors.
The firm, which claims to have over 33 million global users including more than 100,000 business accounts, said the intrusion took place two weeks ago.
“We have determined that an unauthorized party gained access to portions of the LastPass development environment through a single compromised developer account and took portions of source code and some proprietary LastPass technical information. Our products and services are operating normally,” it explained.
“In response to the incident, we have deployed containment and mitigation measures, and engaged a leading cybersecurity and forensics firm. While our investigation is ongoing, we have achieved a state of containment, implemented additional enhanced security measures, and see no further evidence of unauthorized activity.”
LastPass was at pains to point out that it has no evidence that customer data or encrypted password vaults were accessed in the breach, which was confined to the developer environment.
“We never store or have knowledge of your Master Password,” the firm said in an FAQ. “We utilize an industry standard Zero Knowledge architecture that ensures LastPass can never know or gain access to our customers’ Master Password.”
As a result, there are no additional steps for customers to follow.
This isn’t the first security scare for LastPass customers. Back in 2015, threat actors managed to access LastPass account email addresses, password reminders, “server per user salts,” and authentication hashes.
Acquired by LogMeIn for $125m in the same year, LastPass announced in 2021 that it would become a standalone company again.