Password manager LastPass reported a security breach on Thursday but has assured customers that no data or encrypted password vaults were accessed.
In a blog post on Thursday, Karim Toubba, CEO of LastPass, said the company detected usual activity across portions of its developer systems.
It was hacked through one compromised developer’s account and portions of source code and some proprietary LastPass technical information was stolen.
Toubba assured customers that its investigation found no breaches to customer information. “Our products and services are operating normally,” he said. LastPass in 2020 reported 25 million users.
In a list of FAQs, LastPass guaranteed that users that their Master Password was not compromised as the company does not store or have knowledge of the master password. Neither customers’ encrypted vault data nor their private information was accessed, they added.
The company is carrying out “containment and mitigation measures” and has enlisted the services of a cybersecurity firm to continue the investigation.
“While our investigation is ongoing, we have achieved a state of containment, implemented additional enhanced security measures, and see no further evidence of unauthorized activity,” Toubba added.
“Based on what we have learned and implemented, we are evaluating further mitigation techniques to strengthen our environment.
“We will continue to update you with the transparency you deserve.”
It was last hacked in 2015, when users’ email addresses, encrypted master passwords and reminder words were accessed.
LastPass was set up in 2008 and was bought by software company LogMeIn in 2015. LogMeIn is now GoTo, with private-equity ownership.