says cybercriminals breached its systems and stole part of its source code, but that no customer passwords were compromised in the incident.
In a Thursday notice to customers, the popular password manager says it started investigating about two weeks ago after it detected some "unusual activity" within parts of its developer environment. It later determined that someone had gained unauthorized access to that environment through a compromised developer account and taken parts of its source code and other proprietary technical data.
"After initiating an immediate investigation, we have seen no evidence that this incident involved any access to customer data or encrypted password vaults," LastPass CEO Karim Toubba wrote in the customer notice.
LastPass says it's taken measures to contain and stop the breach, as well as brought in an outside cybersecurity company to investigate. While its investigation is ongoing, the company says it hasn't seen any further evidence of intruders.
are free and paid services that encrypt and store all of a user's logins and passwords, autofilling them into the appropriate websites and apps when a master password, PIN number or biometric factor is supplied.
As part of their security measures, LastPass and many other password managers don't store, have knowledge of, or access to the master passwords of its users, which further protects user data if the company is breached.
Security experts overwhelmingly recommend the use of password managers, because they make it much less likely that users will set bad, easy to guess passwords, or use the same password for multiple accounts.