Password management software firm LastPass has suffered a data breach that led to the theft of source code and proprietary technical information.
The company, which is owned by GoTo (formerly LogMeIn), disclosed the breach in an online notice posted Thursday but insisted that the customer master passwords or any encrypted password vault data were not compromised.
LastPass chief executive Karim Toubba said the company’s security team detected unusual activity within portions of the LastPass development environment two weeks ago and launched an investigation that confirmed the source code theft.
We have determined that an unauthorized party gained access to portions of the LastPass development environment through a single compromised developer account and took portions of source code and some proprietary LastPass technical information. Our products and services are operating normally.
In response to the incident, we have deployed containment and mitigation measures, and engaged a leading cybersecurity and forensics firm. While our investigation is ongoing, we have achieved a state of containment, implemented additional enhanced security measures, and see no further evidence of unauthorized activity.
[...]
We are writing today to update you on our recent security incident disclosed on December 22. We have now completed an exhaustive investigation and have not seen any threat actor activity since October 26.
Earlier today, we posted an update to our blog with new findings and important information, including what happened and the actions we have taken, what data was accessed, what we have done to secure LastPass, actions we are recommending customers take to protect themselves or their businesses, and what you can expect from us going forward.
Given the volume of information we are sharing in the blog post, and to better assist our customers with their own incident-response efforts, we have prepared a Security Bulletin specifically for our Free, Premium, and Families consumer users to help guide you through a review of important LastPass settings designed to help secure your account by confirm best practices are being followed.
Please review the Security Bulletin and make any necessary changes to your account.
In sharing these additional details today and in our approach going forward, we are determined to do right by our customers and communicate more effectively. We thank you for your patience and continued support of LastPass.
We recently notified you that an unauthorized party was able to gain access to a third-party cloud-based storage service which is used by LastPass to store backups. Earlier today, we posted an update to our blog with important information about our ongoing investigation. This update includes details regarding our findings to date, recommended actions for our customers, as well as the actions we are currently taking.
We thank you for your patience and continued support of LastPass.
LastPass says the attacker behind the August security breach had internal access to the company's systems for four days until they were detected and evicted.
[...]
In the letter sent to customers after BleepingComputer's emails, Lastpass confirmed it was hacked two weeks before and that the attackers had stolen some source code and proprietary technical information.
"Two weeks ago, we detected some unusual activity within portions of the LastPass development environment," the company said at the time.
"After initiating an immediate investigation, we have seen no evidence that this incident involved any access to customer data or encrypted password vaults."
LastPass provides one of the most popular password management software in the world, with the company claiming that it's used by over 33 million people and 100,000 businesses.
We are writing to inform you that we recently detected some unusual activity within portions of the LastPass development environment. We have determined that an unauthorized party gained access to portions of the LastPass development environment through a single compromised developer account and took portions of source code and some proprietary LastPass technical information. We have no evidence that this incident involved any access to customer data or encrypted password vaults. Our products and services are operating normally.
In response, we immediately initiated an investigation, deployed containment and mitigation measures, and engaged a leading cybersecurity and forensics firm. While our investigation is ongoing, we have achieved a state of containment, implemented additional enhanced security measures, and see no further evidence of unauthorized activity.
Based on what we have learned and implemented, we are evaluating further mitigation techniques to strengthen our environment. We will continue to update our customers with the transparency they deserve.