Password management firm LastPass was hacked last week, allowing threat actors to steal the company’s source code and proprietary technical information.
It is one of the largest password management companies in the world, claiming to be used by over 33 million people and 100,000 businesses.
Sources told BleepingComputer that employees scrambled to contain the attack after LastPass was breached.
After fielding questions about the attack, LastPass today issued a security advisory confirming that the attack was breached via a compromised developer account that hackers used to access the company’s development environment.
While LastPass says there is no evidence that customer data or encrypted password vaults were compromised, the threat actors did steal portions of their source code and “proprietary LastPass technical information.”
“In response to the incident, we have deployed containment and mitigation measures, and engaged a leading cybersecurity and forensics firm,” explains the LastPass advisory.
LastPass has not provided further details regarding the attack, how the threat actors compromised the developer account, and what source code was stolen.
However, LastPass stores passwords in ‘encrypted vaults’ that can only be decrypted using a customer’s master password, which LastPass says was not compromised in this cyberattack.