LastPass security incident reported

LastPass users will have received an email in the last few days confirming that:

“We have determined that an unauthorized party gained access to portions of the LastPass development environment through a single compromised developer account and took portions of source code and some proprietary LastPass technical information.”

You can read more detail and an FAQ from their CEO at, but there is reassurance that

  • Master passwords have not been compromised
  • No data within any vaults been compromised
  • No personal information has been compromised
  • At the time of writing this, LastPass do not recommend any need be taken.

If you are a LastPass user, as we are, I recommend that you read the blog in full, but LastPass’s ‘zero knowledge’ approach seems to have protected its users and, to quote the blog “Our zero knowledge model ensures that only the customer has access to decrypt vault data.” They also link to a fuller description of their ‘zero knowledge’ approach, which is worth a read at