Hacker Steals LastPass Source Code, Company Says

LastPass, a popular password manager and two-factor authentication provider, has been hacked, again. This time, hackers managed to steal parts of the company’s source code, a move that does not pose an immediate risk to users but one that shines a bad light on a company that is responsible for guarding access to its customers' sensitive login credentials.

LastPass declined to tell Motherboard what product the source code theft impacted. An email LastPass sent to users and a blog post published on its website says “We have determined that an unauthorized party gained access to portions of the LastPass development environment through a single compromised developer account and took portions of source code and some proprietary LastPass technical information.”

In a statement, LastPass spokesperson Nikolett Bacso Albaum told Motherboard “We recently detected some unusual activity within portions of the LastPass development environment. We have no evidence that this incident involved any access to customer data or encrypted password vaults. Our products and services are operating normally.”

LastPass offers various free and paid plans for its authentication products, and previously said it has over 20 million users. To use LastPass, customers set a “master password” which then grants a user access to the rest of their passwords stored with the service. 

Sign up for Motherboard’s daily newsletter for a regular dose of our original reporting, plus behind-the-scenes content about our biggest stories.

This isn’t the first time hackers have successfully breached LastPass. Hackers targeted the company in 2015 and accessed email addresses, password reminders, and other user information.

On the latest breach, Albaum’s statement added that “In response, we immediately initiated an investigation, deployed containment and mitigation measures, and engaged a leading cybersecurity and forensics firm. While our investigation is ongoing, we have achieved a state of containment,  implemented additional enhanced security measures, and see no further evidence of unauthorized activity.” 

Companies that provide authentication services are prime targets for hackers because gaining access to them might provide the ability to, or at least clues that would help, in then hacking other targets. In 2011 Chinese hackers broke into cybersecurity firm RSA and stole what WIRED described as the “crown jewels of cybersecurity”: the seeds that govern the two-factor authentication codes customers used to log into their systems.

Subscribe to our cybersecurity podcast, CYBER. Subscribe to our new Twitch channel.