An intruder breached the internal systems of the cloud-based password manager LastPass and stole internal documents as well as the source code for the service, the company revealed in a statement on Thursday.
“Two weeks ago, we detected some unusual activity within portions of the LastPass development environment,” said Karim Toubba, chief executive of LastPass. “After initiating an immediate investigation, we have seen no evidence that this incident involved any access to customer data or encrypted password vaults.”
An unknown attacker broke into a single developer account and gained limited access to the company’s source code, Toubba said. From there the individual also stole blueprints for proprietary technical information as well.
LastPass is one of the largest password management services available for users and is said to support more than 30 million users and 85,000 businesses. A significant portion of its revenue comes from businesses that pay for its services to support millions of internet users who subscribe to the service for free.
The service allows users to generate random passwords and secures them online in encrypted password vaults that are protected by a single master password. The technology that allows it to do this is what is called a “zero knowledge security” model, password data can be unencrypted only with the user’s master password. That means even LastPass is unaware of the password data stored on its own system.
Toubba explained that users’ master passwords were not affected, nor were the encrypted password vaults. The entire incident occurred in the LastPass development environment. “In response to the incident, we have deployed containment and mitigation measures, and engaged a leading cybersecurity and forensics firm,” Toubba said.
The company said the team has since completely contained the breach and implemented additional security. The attack began and ended two weeks ago and with the enhanced security there have been no further incidents, Toubba added.
This is not the first time that LastPass has been hacked. In 2015, the company suffered a security breach where attackers stole user email addresses, password reminders and authentication hashes. Although the company said at the time that master passwords were not affected, it asked customers to reset their passwords.