Password management company LastPass was hacked two weeks ago, allowing threat actors to steal the company’s source code and technical information.
The disclosure comes after BleepingComputer learned of the breach from an insider last week and contacted the company on August 21 without receiving a response to our inquiries.
Sources told BleepingComputer that employees scrambled to withstand the attacks after LastPass was breached.
After submitting inquiries about the attack, LastPass released a security alert today confirming it was breached via a compromised developer account that hackers used to access the company’s developer environment.
While LastPass said there was no evidence that customer data or encrypted password vaults had been compromised, the threat actors did steal parts of their source code and “LastPass proprietary technical information.”
“In response to the incident, we have implemented containment and mitigation measures, and engaged leading cybersecurity and forensics companies,” it said. LastPass Advice.
“While our investigation is ongoing, we have reached a state of detention, implemented additional enhanced security measures, and have seen no further evidence of unauthorized activity.”
LastPass has not provided further details regarding the attack, how the threat actors hacked into developer accounts, and what source code was stolen.
The full security advice emailed to LastPass subscribers can be read below.
LastPass is one of the largest password management companies in the world, claiming to be used by more than 33 million people and 100,000 businesses.
Since consumers and businesses use enterprise software to securely store their passwords, there is always a concern that if a company is hacked, it could allow threat actors to access stored passwords.
However, LastPass stores passwords in an ‘encrypted vault’ that can only be decrypted using the customer’s master password, which LastPass says was not compromised in this cyberattack.
Last year, LastPass experienced credential stuffing attack which allows threat actors to confirm a user’s master password. It was also revealed that the LastPass master password was stolen by a threat actor who distributed the RedLine password stealing malware.
Therefore, it is very important to enable multi-factor authentication on your LastPass account so that threat actors will not be able to access your account even if your password is compromised.
BleepingComputer is once again reaching out with further questions about the attack.
This is a developing story.