LastPass, a popular password manager, has experienced a “security incident” in which an unauthorised third party gained access to “certain elements” of customers’ information.

There is no evidence to suggest that the threat actor obtained access to users’ sensitive passwords.

In a blog post addressed to “all LastPass customers” on Wednesday, CEO Karim Toubba said: “We have determined that an unauthorised party, using information obtained in the August 2022 incident, was able to gain access to certain elements of our customers’ information. Our customers’ passwords remain safely encrypted due to LastPass’s zero-knowledge architecture,” he wrote.

The August incident referred to by Toubba was when LastPass detected “unusual activity within portions of the LastPass development environment”. At the time, Toubba said that there was “no evidence that this incident involved any access to customer data or encrypted password vaults”.

“We have determined that an unauthorised party gained access to portions of the LastPass development environment through a single compromised developer account and took portions of source code and some proprietary LastPass technical information,” he wrote at the time.

In a later blog post, published in September and following further investigation, he said: “Although the threat actor was able to access the development environment, our system design and controls prevented them from accessing any customer data or encrypted password vaults.”

In Wednesday’s blog post about the latest incident, Toubba wrote: “We are working diligently to understand its scope … and identify what specific information has been accessed. In the meantime, we can confirm that LastPass products and services remain fully functional.”