In late August, LastPass started notifying its users of a “recent security incident” where an “unauthorized party” used a compromised developer account to access parts of its password manager’s source code and “some proprietary LastPass technical information.”
In a letter to its users, the company’s CEO Karim Toubba explains that its investigation hasn’t turned up evidence that any user data or encrypted passwords were accessed.
LastPass’s software acts like a Safe for your valuable passwords and private information. As a result of the way LastPass works, they themselves can never see the contents of what is in the “safe” they produce. This security incident is as if the designs to a safe have been stolen from a safe-making factory, but not the actual safes themselves or the valuable information which resides in those safes such as passwords.
Hackers having access to a program’s source code doesn’t immediately mean they can instantly compromise it, or break through its defences. Famously, Microsoft says it doesn’t rely on its source code remaining private for security and says that people being able to read it shouldn’t be a risk.
As LastPass explains, at this point if you are a LastPass user you don’t have to do anything — there’s no reason for you to spend an afternoon changing your master password and doing a full security audit.
If LastPass changes its position or releases further information on the matter we will share it here.
If you have any questions or wish to know more about this incident please contact us below.