Password manager LastPass reveals intrusion into development system

Password manager LastPass reveals intrusion into development system

Vendor states that user data remains secure and it continues to investigate the incident.

Credit: Dreamstime

LastPass, maker of a password management application, has revealed that an unauthorised party gained access to its development environment through a compromised developer account and stole some source code and proprietary technical information.

An initial probe of the incident has revealed no evidence that customer data or encrypted password vaults were accessed by the intruder, CEO Karim Toubba stated in a company blog post.

Toubba explained that the master passwords of the company's users are protected by a zero-knowledge architecture, which prevents LastPass from knowing or accessing those passwords.

"Our products and services are operating normally," adds LastPass spokesperson Nikolett Bacso Albaum. "In response [to the incident], we immediately initiated an investigation, deployed containment and mitigation measures, and engaged a leading cyber security and forensics firm."

"While our investigation is ongoing," she continues, "we have achieved a state of containment, implemented additional enhanced security measures, and see no further evidence of unauthorised activity.”

Password managers an attractive target

While the motive of the people responsible for this LastPass incident is unknown, password managers are a challenging but attractive target for threat actors, observes Melissa Bischoping, an endpoint security research specialist with Tanium, an endpoint management and security company. 

"They unlock — quite literally — a treasure trove of access to hundreds of thousands of accounts and sensitive customer data in an instant, if they are breached," she says.

Also unknown is how the developer account was compromised. Presumably, LastPass had proper authentication controls in place, but sometimes “even strong authentication solutions are not enough for various reasons," says Rajiv Pimplaskar, CEO of Dispersive Holdings, a secure access service edge provider.

LastPass able to contain the damage

Taylor Ellis, customer threat analyst at, an automated penetration testing as a service company, praises LastPass for the way it has handled the incident. 

"Whenever a breach occurs, many organisations fail to isolate the incident quickly, or they struggle with how to guide a proper security investigation," she explains. "As an experienced security company, LastPass at least had the home team advantage by following the correct procedures, isolating the issue on time, and preventing their customers from being severely impacted by the breach."

Follow Us

Join the newsletter!


Sign up to gain exclusive access to email subscriptions, event invitations, competitions, giveaways, and much more.

Membership is free, and your security and privacy remain protected. View our privacy policy before signing up.

Error: Please check your email address.

Tags LastPasscyber security



Join key decision-makers within Environmental, Social, and Governance (ESG) that have the power to affect real change and drive sustainable practices. SustainTech will bridge the gap between ambition and tangible action, promoting strategies that attendees can use in their day-to-day operations within their business.

EDGE 2023

EDGE is the leading technology conference for business leaders in Australia and New Zealand, built on the foundations of collaboration, education and advancement.


ARN has celebrated gender diversity and recognised female excellence across the Australian tech channel since first launching WIICTA in 2012, acknowledging the achievements of a talented group of female front runners who have become influential figures across the local industry.

ARN Innovation Awards 2023

Innovation Awards is the market-leading awards program for celebrating ecosystem innovation and excellence across the technology sector in Australia.

Show Comments