top of page

LastPass source code and blueprints stolen by intruder

LastPass has announced that one of their developer accounts has been breached and used to gain access to proprietary data. However, the organisation claim that their 25 million users and 80,000 customer passwords are still safe.

LastPass is a password manager that stores encrypted passwords online for free. The standard version includes a web interface, browser plugins, a mobile application and bookmarklet support.

Following the attack, LastPass CEO Karim Toubba announced:

“We have determined that an unauthorised party gained access to portions of the LastPass development environment through a single compromised developer account and took portions of source code and some proprietary LastPass technical information. Our products and services are operating normally".

Touba added that after initiating an immediate investigation, there was no evidence that the incident involved any access to customer data or encrypted password vaults.

A data breach is a matter of immense concern for many LastPass customers as they trust LastPass to keep their passwords and subsequent data secure.

However, the company maintains their stance that customers will experience no impact. If passwords had been breached as a result of this attack, the breach would be significant for many users including acclaimed businesses and users with poor password maintenance.

Additionally, LastPass assures that the master password used for all users’ connected devices is unaffected. The company maintains that all passwords are secure and that only the customer can decrypt any vault data.



Report all Fraud and Cybercrime to Action Fraud by calling 0300 123 2040 or online. Forward suspicious emails to Report SMS scams by forwarding the original message to 7726 (spells SPAM on the keypad).



The contents of blog posts on this website are provided for general information only and are not intended to replace specific professional advice relevant to your situation. The intention of East Midlands Cyber Resilience Centre (EMCRC) is to encourage cyber resilience by raising issues and disseminating information on the experiences and initiatives of others. Articles on the website cannot by their nature be comprehensive and may not reflect most recent legislation, practice, or application to your circumstances. EMCRC provides affordable services and Trusted Partners if you need specific support. For specific questions please contact us by email.


EMCRC does not accept any responsibility for any loss which may arise from reliance on information or materials published on this blog. EMCRC is not responsible for the content of external internet sites that link to this site or which are linked from it.

bottom of page