LastPass, the password management company whose tools are widely used in the enterprise, said that an attacker was able to steal a portion of its source code during a recent intrusion, but no customer master passwords or other data was compromised.
The unidentified attacker gained access to the LastPass corporate environment by compromising a developer account, the company said. LastPass detected some unusual activity on the company’s network two weeks ago and began investigating it, which led to the discovery of the compromised developer account.
“We have determined that an unauthorized party gained access to portions of the LastPass development environment through a single compromised developer account and took portions of source code and some proprietary LastPass technical information. Our products and services are operating normally,” LastPass CEO Karim Toubba said in a blog post Thursday.
“In response to the incident, we have deployed containment and mitigation measures, and engaged a leading cybersecurity and forensics firm. While our investigation is ongoing, we have achieved a state of containment, implemented additional enhanced security measures, and see no further evidence of unauthorized activity.”
The intrusion does not appear to have had any direct effects on customers at this point. The company said its architecture ensures that it does not store any customers’ master passwords or encrypted information in their vaults.
“This incident occurred in our development environment. Our investigation has shown no evidence of any unauthorized access to encrypted vault data. Our zero knowledge model ensures that only the customer has access to decrypt vault data,” Toubba said.
LastPass did not specify how much or what portion of its source code the attacker was able to obtain. Toubba said the company will continue to update customers as the investigation progresses.