LastPass, the popular password manager used by millions of people around the world, has announced that it suffered a security breach two weeks ago that saw attackers break into its systems and steal information.

But don’t panic just yet – that doesn’t mean that all of your passwords are now in the hands of internet criminals. Although the breach is clearly not good news, the company says that there is no evidence that the attackers were able to access customer data or encrypted password vaults.

In a blog post revealing the security incident, LastPass CEO Karim Toubba announced that two weeks ago the company detected “some unusual activity within portions of the LastPass development environment.”

“We have determined that an unauthorized party gained access to portions of the LastPass development environment through a single compromised developer account and took portions of source code and some proprietary LastPass technical information. Our products and services are operating normally.”


In a brief FAQ the company addresses questions that will probably be foremost in the minds of its approximately 25 million users. Here’s my executive summary.

1. Has my Master password or the Master Password of my users been compromised?

No. LastPass doesn’t store users’ master passwords. If you never store or have knowledge of a piece of data, and can’t access it yourself, then it also can’t be stolen from you.

2. Has any data within my vault or my users’ vaults been compromised?

No. LastPass says that the incident occurred in its development environment, and has seen no evidence of any unauthorised access to encrypted vault data. Again, you can hear the sigh of relief from LastPass users who might have been concerned that their passwords might have fallen into the wrong hands. The benefit of LastPass’s zero-knowledge architecture is (Read more...)