In a security advisory email sent out to its users on Thursday, the company said that two weeks ago, they detected some unusual activity within portions of the LastPass development environment, and immediately started an investigation. Based on the investigation, they found that an unauthorized party had gained access to portions of the LastPass development environment through a single compromised developer account and took portions of source code and some proprietary LastPass technical information. In response to the incident, the company has deployed containment and mitigation measures, and engaged a leading cybersecurity and forensics firm. “While our investigation is ongoing, we have achieved a state of containment, implemented additional enhanced security measures, and see no further evidence of unauthorized activity,” the email read. The letter also emphasized that there has been no evidence of any unauthorized access to customer data, Master Password or encrypted password vaults, and hence they weren’t compromised or obtained by threat actors as part of this data breach. As such, LastPass has recommended no user or administrative action is needed at this point of time. LastPass is yet to reveal any additional information regarding the attack, or what source code was stolen, and how the threat actors exploited the developer account. “Based on what we have learned and implemented, we are evaluating further mitigation techniques to strengthen our environment. We will continue to update you with the transparency you deserve,” the letter concluded. This is not the first time that LastPass has suffered a data breach. Last December, the password manager app was subjected to a “credential stuffing attack” against its users where the threat actors attempted to gain access to their cloud-hosted password vaults. As per the company, no accounts were compromised in the attack. Recently, Plex, one of the most popular global streaming media services, too suffered a potential data breach involving one of its databases in which emails, usernames, and encrypted passwords were stolen.
