LastPass confirms attackers stole some source code

Earlier this week, LastPass started notifying its users of a “recent security incident” where an “unauthorized party” used a compromised developer account to access parts of its password manager’s source code and “some proprietary LastPass technical information.” In a letter to its users, the company’s CEO Karim Toubba explains that its investigation hasn’t turned up evidence that any user data or encrypted passwords were accessed.

Toubba continues on to explain that the company has “implemented additional enhanced security measures” after containing the breach, which it detected two weeks ago. The company wouldn’t comment on how long the breach had been going on before it was detected.

As LastPass explains, at this point its users don’t have to do anything — there’s no reason for you to spend an afternoon changing your master password and doing a full security audit. LastPass, on the other hand, probably has its work cut out for it making sure that it doesn’t have to make any changes now that an unauthorized party may have access to its source code.

To be clear, hackers having access to a program’s source code doesn’t immediately mean they can instantly pwn it, breaking through its defenses. Famously, Microsoft says it doesn’t rely on its source code remaining private for security and says that people being able to read it shouldn’t be a risk (which is a good thing because its source code leaks a lot). And while that should be the case for any company, especially ones whose entire deal is keeping your passwords safe, I’d probably want the company to be poring over its code just to make sure there aren’t any subtle vulnerabilities that it missed if I were a LastPass customer.

Despite the fact that the breach doesn’t seem to be a red alert for security problems at the company, it’s still not a great look for a password manager that’s been struggling with its reputation. It’s just the latest in a line of incidents for LastPass (the software’s Wikipedia page is largely comprised of a section titled “security issues”), and the company also earned the ire of many users for changing its free tier to be significantly less useful in early 2021.