No LastPass User Credentials Were Stolen, But The Hack Lasted For Days

lastpass AH

Last month’s LastPass hack resulted in some stolen source code but no user credentials appear to have been leaked. That’s based on reports following statements made by LastPass and its CEO, Karim Toubba. However, new details about the breach are still somewhat disconcerting.

Summarily, the bad actor in the breach was able to gain access to LastPass for no less than four days. Access was gained via a developer endpoint, which the hacker could access by successfully authenticating the account via multi-factor authentication.

The hacker then proceeded to effectively impersonate the developer to steal the top-rated password manager’s source code. That’s in addition to other technical information about LastPass.


How can any user be sure that they’re safe continuing to use their credentials for LastPass after the hack?

Now, it is concerning that the hacker in question managed to essentially remain inside LastPass’s deeper workings for days. And that they were able to steal source code, with future ramifications potentially stemming from that. Pending, of course, any changes made by LastPass.

With that said, the LastPass CEO did indicate that there’s not really any cause for concern for end users right now. The access gained by the hacker shows “no evidence” that any customer data was accessed. And there doesn’t appear to have been any access to encrypted password vaults either. Meaning that the hacker appears to have not been able to access users’ master passwords either.

Moreover, the hacker doesn’t appear to have left behind any malicious code. That means that, as of this writing, users don’t need to worry too much about using LastPass and its apps as normal. There shouldn’t be any viruses or other malware activated down the road from this attack. Or, at the very least, not any malware or viruses that were injected during this attack.


Any of LastPass’s 33 million registered customers who are still concerned are free to change their passwords, as they see fit.