LastPass admits hackers stole source code and proprietary technical information


The last thing a company that lives on security wants is a security incident, but LastPass has confirmed that hackers penetrated the defenses of its development environment two weeks ago to steal its source code.

“We have determined that an unauthorized party gained access to portions of the LastPass development environment through a single compromised developer account and took portions of the source code and certain proprietary technical information from LastPass,” the developer said. Password management company CEO Karim Toubba in a notice to customers. .

Toubba assured customers that an investigation was launched immediately after the unusual activity was detected and found “no evidence that this incident involved access to customer data or encrypted password vaults. “. The breach occurred in the company’s development environment and its zero-knowledge model only allows a customer to access data in the decryption vault.

The master passwords were also not compromised, according to an FAQ provided by the company. “We never store or know your master password. We use an industry-standard zero-knowledge architecture that ensures LastPass can never know or access our customers’ master passwords,” said declared LastPass.

“Password managers make it easy to use unique strong passwords across multiple accounts, which is a key first step to staying safe online,” said Tom Davison, senior manager at Lookout. “However, if the master password is compromised or the password vault is exploited in some way, the impact can be very high.”

“Password managers would be a tough but attractive target for a threat actor, because they unlock – literally – a treasure trove of access to hundreds of thousands of accounts and sensitive customer data in an instant if they are hacked,” said Melissa Bischoping, director, endpoint security research specialist at Tanium.

Fortunately, however, Davison said, “it does not appear that user data or password vaults were compromised in this instance; however, the theft of the source code has been confirmed and attackers will be searching with all their might for potential weaknesses to exploit.

Toubba said LastPass has “deployed containment and mitigation measures and engaged a leading cybersecurity and forensics company.” And while the company is continuing to investigate, he said, LastPass has “reached a state of containment, implemented additional heightened security measures, and sees no further evidence of unauthorized activity.”

And the company is considering additional mitigation techniques to make its environment more secure.

Sounds good so far, doesn’t it? But BleepingComputer, which broke the story, cited experts who said the company struggled to contain the breach, at least initially, and only disclosed the breach after being contacted by the media.

“No matter what companies do or how they may try to prevent their source code from leaking, it can still leak,” said Ajay Arora, co-founder and president of BluBracket. “That’s why it’s crucial that companies not only use tools that help prevent source code leaks, but also prepare for this eventuality.”

And Rajiv Pimplaskar, CEO of Dispersive Holdings, Inc., called the LastPass incident “a disappointing sequel to many similar MFA breaches we’ve seen over the past few weeks that confirm that even strong authentication solutions aren’t enough.” not for various reasons”.

Arora noted that additional consequences can arise if source code is stolen or leaked, including the disclosure of secrets about an application’s architecture. This, he explained, “can reveal information about where certain data is stored and what other resources an organization may use. These factors could then equip bad actors to inflict further harm on an organization after the fact.

Noting that “this is a complex issue, and while we don’t usually intervene in another company’s breach, I think we can comment on the future of safety and health in passwords,” Bischoping said.

“The conversation around passwordless authentication is growing in popularity, especially with big players like Microsoft and Google, making it relatively easy to adopt,” Bischoping said. “If you are an existing LastPass customer, continue to monitor their website and official communications for further guidance. Currently, LastPass has not identified any items requiring specific actions by end users. They are engaging in internal mitigation, incident response and investigation efforts.

While there are no known breaches of sensitive customer data and passwords, the breach “provides an opportunity to assess your security posture in the event that the scope of the breach expands or d ‘other breaches occur in the future – this is true whether you use LastPass specifically or not,” Bischoping said. “This may mean proactive password rotation, temporarily switching to another password manager or password management service. Use multi-factor authentication not only for your bank accounts and social networks, but above all for your LastPass or other password management solution. Many providers, including LastPass, are offering and migrating to “passwordless” logins that use more advanced security technologies such as FIDO2 security keys. This reduces friction for end users and increases overall account security. »

To secure their operations, organizations must first eliminate secrets such as passwords, credentials and API tokens in source code, Arora said, “followed by balancing productive access against unnecessary risks, then researching any leaked code”.

Davison advised LastPass users to “stay alert, follow the news, and watch for any unusual activity or login notifications on their accounts,” noting “it’s really important to configure all available MFA settings provided by LastPass, including including the use of an app authenticator to secure connections (SMS has proven vulnerable to SIM card swapping attacks).

Since additional MFA confirmations will be done through a mobile device for most users, “it’s critical that this is also secure.”

For those hesitant to use a password manager due to the risk involved, Bischoping reiterated their value. “I think another important point to remember is that the benefits of using a secure password management solution often far outweigh the risks of a potential breach and/or what this violation can make accessible,” she said. “When combined with the other security recommendations, it remains one of the best solutions for preventing credential theft and related attacks.


Comments are closed.