LastPass, the password manager used by more than 33 million people worldwide, said a hacker recently stole source code and proprietary information after breaking into its systems.
According to a blog post on Thursday, the company does not believe password theft was part of the breach, and users do not need to take any action to protect their accounts.
An investigation found that an “unauthorized party” had broken into their developer environment, the software employees use to build and maintain LastPass products. The company said the perpetrators were able to gain access through a compromised developer account.
The attack hit a company that generated and stored hard-to-crack, auto-generated passwords for multiple accounts like Netflix or Gmail on behalf of its users without having to manually enter credentials. LastPass lists Patagonia, Yelp Inc. and State Farm as customers on its website.
Cybersecurity site Bleeping Computer reported that it asked LastPass about the breach two weeks ago.
Alan Liska, an analyst with the computer security incident response team at cybersecurity firm Recorded Future, said he was impressed with LastPass’ “quick notifications.”
“While two weeks may seem like a long time to some, it can take a while for incident response teams to fully assess and report on the situation,” he said. “It will take time to fully determine the extent of the damage the breach may have caused. However, it does not appear to have any impact on customers at this time.”
LastPass did not immediately respond to a request for further comment.
There has been speculation on social media that hackers may be able to gain access to cryptographic vault keys after stealing source code and proprietary information.
“Stolen source code is unlikely to allow criminals to obtain customer passwords,” Liska said.