LastPass Says No Passwords Stolen in Data Breach

Cybercriminals broke into the company's systems and stole parts of its source code.

Bree Fowler Senior Writer
Bree Fowler writes about cybersecurity and digital privacy. Before joining CNET she reported for The Associated Press and Consumer Reports. A Michigan native, she's a long-suffering Detroit sports fan, world traveler, wannabe runner and champion baker of over-the-top birthday cakes and all-things sourdough.
Expertise cybersecurity, digital privacy, IoT, consumer tech, smartphones, wearables
Bree Fowler
2 min read
An image of the LastPass logo.

LastPass says cybercriminals stole part of its source code. 

Sarah Tew/CNET

LastPass says cybercriminals breached its systems and stole part of its source code, but that no customer passwords were compromised in the incident.

In a Thursday notice to customers, the popular password manager says it started investigating about two weeks ago after it detected some "unusual activity" within parts of its developer environment. It later determined that someone had gained unauthorized access to that environment through a compromised developer account and taken parts of its source code and other proprietary technical data. 

"After initiating an immediate investigation, we have seen no evidence that this incident involved any access to customer data or encrypted password vaults," LastPass CEO Karim Toubba wrote in the customer notice.

LastPass says it's taken measures to contain and stop the breach, as well as brought in an outside cybersecurity company to investigate. While its investigation is ongoing, the company says it hasn't seen any further evidence of intruders.

Password managers are free and paid services that encrypt and store all of a user's logins and passwords, autofilling them into the appropriate websites and apps when a master password, PIN number or biometric factor is supplied.

As part of their security measures, LastPass and many other password managers don't store, have knowledge of, or access to the master passwords of its users, which further protects user data if the company is breached.  

Security experts overwhelmingly recommend the use of password managers, because they make it much less likely that users will set bad, easy to guess passwords, or use the same password for multiple accounts.