World’s top password manager LastPass says it was hacked

The CEO of password-manager company LastPass said Thursday that it was was recently hacked, but the company sees no evidence the incident exposed any customer data or passwords.

“We have determined that an unauthorized party gained access to portions of the LastPass development environment through a single compromised developer account and took portions of source code and some proprietary LastPass technical information,” CEO Karim Toubba wrote in a letter to customers.

The software allows users to store their passwords for various accounts and websites in a “vault” that can be unlocked with a singular master password, also providing customers with auto-generated passwords designed to be hard to guess.

Toubba said the company became aware of the hack after observing unusual activity two weeks ago.

LastPass said its software is designed so that the company can never know or gain access to customers’ master passwords.

“Our investigation has shown no evidence of any unauthorized access to encrypted vault data,” the company wrote on a frequently asked questions page. “Our zero knowledge model ensures that only the customer has access to decrypt vault data.”  

The company said its products are operating normally and LastPass is working with a cybersecurity and forensics firm following the incident. 

“Based on what we have learned and implemented, we are evaluating further mitigation techniques to strengthen our environment,” Toubba told customers.