LastPass

Password management firm LastPass was hacked two weeks ago, enabling threat actors to steal the company's source code and proprietary technical information.

The disclosure comes after BleepingComputer learned of the breach from insiders last week and reached out to the company on August 21st without receiving a response to our questions.

Sources told BleepingComputer that employees were scrambling to contain the attack after LastPass was breached. 

After sending questions about the attack, LastPass released a security advisory today confirming that it was breached through a compromised developer account that hackers used to access the company's developer environment.

While LastPass says there is no evidence that customer data or encrypted password vaults were compromised, the threat actors did steal portions of their source code and "proprietary LastPass technical information."

"In response to the incident, we have deployed containment and mitigation measures, and engaged a leading cybersecurity and forensics firm," explains the LastPass advisory.

"While our investigation is ongoing, we have achieved a state of containment, implemented additional enhanced security measures, and see no further evidence of unauthorized activity."

LastPass has not provided further details regarding the attack, how the threat actors compromised the developer account, and what source code was stolen.

The full security advisory emailed to LastPass customers can be read below.

LastPass security advisory emailed to customers
LastPass security advisory emailed to customers

LastPass is one of the largest password management companies in the world, claiming to be used by over 33 million people and 100,000 businesses.

As consumers and businesses use the company's software to store their passwords securely, there are always concerns that if the company was hacked it could allow threat actors access to stored passwords.

However, LastPass stores passwords in 'encrypted vaults' that can only be decrypted using a customer's master password, which LastPass says was not compromised in this cyberattack.

Last year, LastPass suffered a credential stuffing attack that allowed threat actors to confirm a user's master password. It was also revealed that LastPass master passwords were stolen by threat actors distributing the RedLine password-stealing malware.

Due to this, it is vital to enable multi-factor authentication on your LastPass accounts so that threat actors won't be able to access your account even if your password is compromised.

BleepingComputer has once again reached out with further questions about the attack.

This is a developing story.

8 Common Threats in 2025

While cloud attacks may be growing more sophisticated, attackers still succeed with surprisingly simple techniques.

Drawing from Wiz's detections across thousands of organizations, this report reveals 8 key techniques used by cloud-fluent threat actors.

Related Articles:

Johnson Controls starts notifying people affected by 2023 breach

Qantas discloses cyberattack amid Scattered Spider aviation breaches

Whole Foods supplier UNFI restores core systems after cyberattack

Steel giant Nucor confirms hackers stole data in recent breach

Krispy Kreme says November data breach impacts over 160,000 people