LastPass, a password manager used by more than 33 million people around the world, said a hacker recently stole source code and proprietary information after breaking into its systems.

The company doesn’t believe any passwords were taken as part of the breach and users shouldn’t have to take action to secure their accounts, according to a blog post on Thursday. 

An investigation determined that an “unauthorized party” cracked into its developer environment, which is the software that employees use to build and maintain LastPass’s product. The perpetrators were able to gain access through a single compromised developer’s account, the company said.

The attack struck a company that generates and stores hard-to-crack, auto-generated passwords for multiple accounts, like Netflix or Gmail, on behalf of its users — without the need to manually enter credentials. LastPass lists Patagonia, Yelp Inc. and State Farm as customers on its website.

Cybersecurity website Bleeping Computer reported that it had asked LastPass about the breach two weeks ago. 

Allan Liska, an analyst on the Computer Security Incident Response Team at cybersecurity company Recorded Future, said he was impressed with the “speedy notification” from LastPass.

Advertising

“While two weeks might seem like a long time to some, it can take a while for incident response teams to fully assess and report on a situation,” he said. “it will take time to fully determine the extent of any damage that may have been as result of the breach. However, for now it appears to not be client-impacting.”

What to do

If you are hit by a data breach or ID theft:

While there is no foolproof way to ensure that your information is safe, there are some steps you can take to protect yourself from identity theft.

Call the companies where the fraud may have occurred.

Work with one of the credit bureaus (Experian, TransUnion and Equifax) to check your credit report for suspicious activity and to place a fraud alert or credit freeze on your credit report.

Report the identity theft to the FTC at IdentityTheft.gov.

File a report with your local police department.

Send a copy of the police report to the three major credit bureaus.

Ask businesses to provide you with information about transactions made in your name. A template for a letter you can complete and send to businesses to request records is available on the Attorney General’s Office website at: https://www.atg.wa.gov/db-letter

If you receive a breach notification or believe that you may be a victim of identity theft, please visit the Washington Attorney General’s website for help.

More

LastPass didn’t immediately respond to a request for further comment.

There was speculation on social media that hackers may be able to access the keys to password vaults after stealing source code and proprietary information. 

“It is unlikely that the stolen source code will give the criminals access to customer passwords,” Liska said.

More