LastPass was hacked -- again

The good news is that no passwords appear to have been revealed from the password-saving site. The bad news is that its source code has been compromised.
Written by Steven Vaughan-Nichols, Senior Contributing Editor

LastPass, the popular password management service, recently announced that it was hacked. Specifically, LastPass's CEO Karim Toubba wrote that an "unauthorized party gained access to portions of the LastPass development environment through a single compromised developer account and took portions of source code and some proprietary LastPass technical information."

This isn't the first time LastPass has had security problems. In 2021, it appeared that some users' LastPass Master Passwords may have been revealed. LastPass replied that it hadn't been breached, but users who had gotten emails warning them that an unknown person was trying to log into their accounts weren't convinced. Nevertheless, LastPass insisted that it was just the result of a credential stuffing attack

Also: Want to ditch LastPass? Here are the best alternatives to try

In 2020, LastPass had a major outage, and users reported they couldn't log into their accounts or autofill passwords. In 2019, a significant LastPass security problem was uncovered by security researchers as well.

None of these problems alone are that bad. Yes, it's awful that one developer's account was hacked, but it happens. 

That said, it's still concerning that the biggest password security company -- with a claimed 20 million customers -- has significant, annual security problems.

True, as Toubba claimed, with this week's hack, "We have seen no evidence that this incident involved any access to customer data or encrypted password vaults." But with proprietary source code and technical secrets revealed, the possibility of an attack that could reveal users' passwords is certainly there.

This is yet another example of how proprietary code is less secure than open-source code. With open-source password programs, such as Bitwarden, all the code is checked by independent experts. This ensures potential security weaknesses can be spotted before they become security holes. 

In this case, however, LastPass has "engaged a leading cybersecurity and forensics firm" to investigate what happened. LastPass is also implementing enhanced security measures. They've seen "no further evidence of unauthorized activity." 

From where I sit, this is too little, too late. But it's still something. 

LastPass, with its zero-knowledge model, is still a good password security company. But if you want to look for another password manager, no one would blame you.

Related Stories:

Editorial standards