LastPass sent an email to users informing them that an unauthorized party had gained access to portions of its development environment. The unusual activity was detected two weeks ago. The hacker took portions of the site’s internal source code and documents relating to technical information. “After initiating an immediate investigation, we have seen no evidence that this incident involved any access to customer data or encrypted password vaults,” states a LastPass blog post. Unlike the Plex hack reported yesterday, LastPass isn’t advising its users to change their passwords—Plex’s accessed data did include emails, usernames, and encrypted passwords.
The LastPass intruder gained access through a single compromised developer account, though there are no details on how this happened. The company says it has deployed containment and mitigation measures and engaged a leading cybersecurity and forensics firm. LastPass adds that it has implemented additional enhanced security measures and sees no further evidence of unauthorized activity Despite being massively popular and an excellent piece of software, this isn’t the first time LastPass has made headlines for the wrong reasons. In 2019, the company patched a security flaw that could have allowed hackers to scrape login details from the last site users visited. There was also a browser extension vulnerability in 2017. In December, LastPass users began reporting login attempts from unknown locations using their correct master passwords. The company claimed these were likely the result of people reusing passwords across multiple sites—ironically, the very thing password managers are designed to discourage—but others claim they originated from another LastPass browser extension vulnerability. LastPass users should download the authenticator app to help safeguard their account by requiring two-factor authentication codes when signing in.