LastPass acknowledges that some source code was stolen by attackers

LastPass began warning customers earlier this week of a “recent security issue” in which an “unauthorized person” used a hacked developer account to get access to sections of its password manager’s source code and “certain confidential LastPass technical knowledge.” The company’s CEO, Karim Toubba, says in a letter to its subscribers that its investigation has found no indication that any user data or encrypted passwords were obtained.

Toubba goes on to say that after limiting the incident, which was discovered two weeks ago, the organisation “installed further improved security measures.” The corporation refused to say how long the breach had been going on before it was discovered.

According to LastPass, its customers don’t need to change anything at this point. There’s no need to spend an afternoon updating your master password and doing a comprehensive security audit. LastPass, on the other hand, will most likely have its work cut out for it in order to avoid having to make any modifications now that an unauthorised entity has access to its source code.

To be clear, just because hackers have access to a program’s source code doesn’t imply that they can immediately pwn it, breaking past its protections. Microsoft famously claims that it does not depend on keeping its source code secret for security and that individuals being able to see it should not be a danger (which is a good thing because its source code leaks a lot).

Despite the fact that the breach does not seem to be a red flag for the company’s security issues, it is still not a good image for a password manager that has been suffering with its reputation. It’s only the latest problem for LastPass (the software’s Wikipedia page is mostly made of a section headed “security concerns”), and the business has also earned the ire of many customers by making its free tier much less effective in early 2021.