Skip to main content

LastPass had its source code stolen by hackers – this is why your passwords are still safe

The LastPass logo in a stylized web browser under a magnifying glass.
(Image credit: II.studio/Shutterstock)

Storing your passwords using one of the best password managers can make them more difficult to steal, but what happens when hackers go after a password management company instead? 

As reported by BleepingComputer (opens in new tab), LastPass has disclosed that it was targeted by a cyberattack two weeks ago after rumors of the attack began circulating online. The news outlet found out about the breach after speaking with insiders last week who said the company was “scrambling to contain the attack”.

If you’re a LastPass customer, you may be wondering if your passwords and other sensitive data are still safe. Fortunately, customer passwords weren’t exposed as the hackers responsible only managed to steal the company’s source code along with proprietary technical information.

LastPass confirms it was hacked

In a new security advisory (opens in new tab) released on Thursday, LastPass CEO Karim Toubba explained that the company “detected some unusual activity within portions of the LastPass development environment” two weeks ago.

The company immediately began an investigation and so far, no evidence has been found that any customer data or encrypted password vaults were accessed by the attacker behind the breach.

The attacker was able to gain access to LastPass’ development environment by using a single compromised developer account. Once inside the company’s systems, they “took portions of source code and some proprietary LastPass technical information”, according to Toubba.

Although all of LastPass’ products and services are operating normally, the company has deployed containment and mitigation measures. It’s also working with a cybersecurity and forensics firm to conduct an expanded investigation into the incident.

Why your passwords are still safe

A woman programmer is typing a code on computer to protect a cyber security

(Image credit: VideoFlow / Shutterstock)

In addition to being one of the best password managers, LastPass is also one of the largest and the company says its services are used by more than 33 million people and 100,000 businesses worldwide.

Although your passwords are certainly safer when stored inside a password manager, there is always the chance that if a company like LastPass or 1Password is hacked, cybercriminals could gain access to your stored passwords.

The reason your passwords are still safe after this breach is due to the fact that LastPass stores all customer passwords inside encrypted vaults that can only be decrypted by using your master password. In an FAQ at the bottom of its security advisory, LastPass explains that no master passwords were compromised as a result of the incident. 

At the same time, the company doesn’t store nor does it have knowledge about your master password. This is because LastPass uses Zero Knowledge architecture which ensures it can never know or gain access to its customers’ master passwords. Likewise, none of the data stored inside customers’ encrypted vaults was compromised during the breach.

Normally, after a data breach, companies recommend that users change their passwords but in this case, LastPass says that users don’t need to take any action at this time. The company also plans to keep users updated on the findings of its investigation once they become available. 

Anthony Spadafora
Senior Editor Security and Networking

Anthony Spadafora is the security and networking editor at Tom’s Guide where he covers everything from data breaches and ransomware gangs to password managers and the best way to cover your whole home or business with Wi-Fi. Before joining the team, he wrote for ITProPortal while living in Korea and later for TechRadar Pro after moving back to the US. Based in Houston, Texas, when he’s not writing Anthony can be found tinkering with PCs and game consoles, managing cables and upgrading his smart home.