LastPass, one of the largest freemium cloud-based password managers with more than 25 million users, has been hacked. The hackers made off with "portions of source code," according to an announcement by the company itself. The good news is that no user information or passwords were at risk.
In a blog post (opens in new tab) (via sweclockers (opens in new tab)), LastPass revealed today that it was exposed to a data breach two weeks ago. The company "detected some unusual activity within portions of the LastPass development environment," which resulted in the theft of proprietary data. A compromised developer account is to blame for the breach. Fingers crossed they weren't using 'password' or '12345' or this is going to get embarrassing for someone.
As far as users' personal information and passwords are concerned, there's no evidence of customer data or account master passwords being accessed, according to LastPass.
Users' Encrypted vault data also seems to have not been affected. LastPass says the whole incident took place in its "developer environment," which means that it went nowhere near touching any of the encrypted vault data.
In addition to passwords, LastPass users can also store digital copies of personal records like ID and insurance cards in a vault in the cloud. The premium version of the services gives you access to this vault across multiple devices.
"In response to the incident, we have deployed containment and mitigation measures and engaged a leading cybersecurity and forensics firm," wrote Karim Toubba, CEO of LastPass. "While our investigation is ongoing, we have achieved a state of containment, implemented additional enhanced security measures, and see no further evidence of unauthorized activity."
Last year, LastPass suffered a credential stuffing attack (opens in new tab), where hackers attempted to access users' cloud-hosted password vaults. In 2015, LastPass told its customers to change their master passwords after a data breach (opens in new tab) occurred where hackers managed to steal some user data (but no passwords).
If you're a LastPass user, the company says there's no action you need to take right now. However, LastPass does recommend that you set up authentication via the LastPass Authenticator app and make sure you keep all your devices up to date.