PCMag editors select and review products independently. If you buy through affiliate links, we may earn commissions, which help support our testing.

PCMag UK

LastPass: Hacker Had Access to Development System for 4 Days

LastPass issues an update on its investigation into the August hack. 'There is no evidence that this incident involved any access to customer data or encrypted password vaults,' it says.

Michael Kan
 & Michael Kan Principal Reporter

Our team tests, rates, and reviews more than 1,500 products each year to help you make better buying decisions and get more from technology.

Our Expert
LOOK INSIDE PC LABS HOW WE TEST
65 EXPERTS
43 YEARS
41,500+ REVIEWS

The hacker who infiltrated LastPass last month had access for four days, according to the company’s investigation. However, LastPass has found no evidence the culprit ever tampered with the company’s software code or accessed user information, such as encrypted passwords. 

The company completed its investigation into the breach with the help of cybersecurity firm Mandiant. The results confirm the hacker only managed to gain access to LastPass’s internal IT systems devoted to software development. 

“Our investigation revealed that the threat actor’s activity was limited to a four-day period in August 2022,” LastPass said in an update on the breach. “During this timeframe, the LastPass security team detected the threat actor’s activity and then contained the incident. There is no evidence of any threat actor activity beyond the established timeline.”

The investigation also found the attacker exploited a “compromised endpoint” belonging to a LastPass developer, meaning they hijacked access to the developer's computer, possibly through malware.

“While the method used for the initial endpoint compromise is inconclusive, the threat actor utilized their persistent access to impersonate the developer once the developer had successfully authenticated using multi-factor authentication,” LastPass says.

Recommended by Our Editors

How We Test Password Managers
How We Test Password Managers
Still Using Passwords? It's Time to Upgrade to Passkeys Now
Still Using Passwords? It's Time to Upgrade to Passkeys Now
Don't Let Your Passwords Die With You. Here's How to Share Account Access Safely
Don't Let Your Passwords Die With You. Here's How to Share Account Access Safely

Fortunately, the company designed its development software systems to operate separately from the production side of LastPass. “Secondly the Development environment does not contain any customer data or encrypted vaults,” it adds. "Thirdly, LastPass does not have any access to the master passwords of our customers’ vaults."

Nevertheless, the access allowed the hacker to steal some portions of LastPass’s source code. During the investigation, the company checked whether the attacker may have tampered with any computer code on the developer side. “We conducted an analysis of our source code and production builds and confirm that we see no evidence of attempts of code-poisoning or malicious code injection,” LastPass said.

The company added: “Developers do not have the ability to push source code from the Development environment into Production. This capability is limited to a separate Build Release team and can only happen after the completion of rigorous code review, testing, and validation processes.”  

LastPass says it hired “a leading cyber security firm” to bolster its safeguards around accessing and storing company source code. “Further, we have deployed enhanced security controls including additional endpoint security controls and monitoring,” it adds. 

However, LastPass declined to answer questions about who may be responsible for the attack, including whether it's linked to a recent wave of SMS phishing attacks against numerous companies. “We have completed our investigation into the security incident and have updated our blog post on the incident to provide transparency and peace of mind to our customers," it said in response to a request for comment.

About Our Expert

Michael Kan

Michael Kan

Principal Reporter

My Experience

I've been a journalist for over 15 years. I got my start as a schools and cities reporter in Kansas City and joined PCMag in 2017, where I cover satellite internet services, cybersecurity, PC hardware, and more. I'm currently based in San Francisco, but previously spent over five years in China, covering the country's technology sector.

Since 2020, I've covered the launch and explosive growth of SpaceX's Starlink satellite internet service, writing 600+ stories on availability and feature launches, but also the regulatory battles over the expansion of satellite constellations, fights with rival providers like AST SpaceMobile and Amazon, and the effort to expand into satellite-based mobile service. I've combed through FCC filings for the latest news and driven to remote corners of California to test Starlink's cellular service.

I also cover cyber threats, from ransomware gangs to the emergence of AI-based malware. In 2024 and 2025, the FTC forced Avast to pay consumers $16.5 million for secretly harvesting and selling their personal information to third-party clients, as revealed in my joint investigation with Motherboard.

I also cover the PC graphics card market. Pandemic-era shortages led me to camp out in front of a Best Buy to get an RTX 3000. I'm now following how the AI-driven memory shortage is impacting the entire consumer electronics market. I'm always eager to learn more, so please jump in the comments with feedback and send me tips.

The Best Tech I've Had:

  • My first video game console: a Nintendo Famicom
  • I loved my Sega Saturn despite PlayStation's popularity.
  • The iPod Video I received as a gift in college
  • Xbox 360 FTW
  • The Galaxy Nexus was the first smartphone I was proud to own.
  • The PC desktop I built in 2013, which still works to this day.

Read the latest from Michael Kan

Read full bio