Some proprietary information was also stolen, the company said Thursday. “After launching an immediate investigation, we saw no evidence that this incident involved any access to customer data or encrypted password vaults,” he added. News service Bleeping Computer reported that the statement came after it asked the company for comment on Sunday, when informed by people familiar with the matter. “Two weeks ago we detected some unusual activity in parts of the LastPass development environment,” the Boston-based company said in its statement. “We found that an unauthorized party gained access to parts of the LastPass development environment through a single compromised developer account and took parts of the source code and some proprietary technical information of LastPass. Our products and services are working normally. “In response to the incident, we implemented containment and mitigation measures and engaged a leading cybersecurity and forensics firm. While our investigation is ongoing, we have achieved containment, implemented additional enhanced security measures, and see no further evidence of unauthorized activity. “ It has not explained how the staff account was compromised. In a frequently asked question accompanying Thursday’s statement, the company said the incident did not compromise customers’ master passwords or their data vaults. For now, LastPass said, neither users nor administrators need to take any action to secure their accounts. The company says it has 100,000 business customers, as well as individual users. It has a total of 33 million registered users, with the “significant majority” represented by enterprise customers. LastPass is in the process of being spun off from its parent company, GoTo (formerly LogMein). In April, LastPass named Karim Toubba as its new CEO. In May it added a chief security technology officer. It’s the second major cyber incident to hit LastPass in the past eight months. In December, Bleeping Computer reported that some LastPass customers were notified after attempts to access the password manager with a master password. At the time, a LogMein official said a threat actor was likely trying to gain access to user accounts with email addresses and passwords obtained from third-party data breaches.
