Password app LastPass hit by cybersecurity breach but says data remains safe

<span>Photograph: Yui Mok/PA</span>
Photograph: Yui Mok/PA

Password manager LastPass has told customers that some of their information has been accessed in a cybersecurity breach, but says passwords remain safe.

LastPass is one of several password managers in the market that aims to reduce the reuse of passwords online, by storing themin a single app. It also makes it easier for users to generate strong passwords as required.

In August, LastPass determined that some of its source code and technical information was taken from unauthorised access to a third-party storage service the company had been using.

Related: Medibank hackers announce ‘case closed’ and dump huge data file on dark web

After an investigation the company said, while the threat actor had been able to access the company’s development environment, the system had prevented access to customer data or encrypted passwords.

At the time LastPass said the attacker had taken portions of source code and some proprietary LastPass technical information, but believed the risk to the app was limited.

LastPass said that its production environment was physically separate to the development environment and not directly connected. The company also conducted an analysis of its source code and production builds to verify there were no attempts to inject malicious code.

“Developers do not have the ability to push source code from the development environment into production,” the company said at the time.

“This capability is limited to a separate build release team and can only happen after the completion of rigorous code review, testing, and validation processes.”

However on Wednesday, the company’s CEO, Karim Toubba, advised customers that “an unauthorised party” using information gleaned from the previous attack had subsequently been able to access “certain elements of our customers’ information”.

Related: Is it worth taking out personal cyber insurance in case you are caught up in a data hack?

LastPass did not say what specifically that information was, but said passwords remained safely encrypted. LastPass also has no access to customers’ master passwords, meaning only the user has access to decrypt the passwords they are storing.

“We are working diligently to understand the scope of the incident and identify what specific information has been accessed,” Toubba said.

“In the meantime, we can confirm that LastPass products and services remain fully functional.”

Toubba said the company would put in place more security measures and monitoring to detect any more threat actor activity.