The last thing any organization needs from security is a security breach, but LastPass confirmed that hackers breached its development environment two weeks ago to steal source code.
“We have determined that an unauthorized party accessed the LastPass development environment at one time with a compromised developer account and took some of the source code and some proprietary LastPass technical information,” said Karim Touba, CEO of the password management company, in a notice to customers.
Tubaba confirmed to its customers that an investigation was launched immediately upon discovery of unusual activity, adding that “there is no evidence that this incident involved access to customer information or encrypted password deposits.” The breach occurred in the company’s development environment, where the zero-knowledge model allows only a customer to access data in a decrypted vault.
According to repeated requests by the company, master passwords were also not compromised. “We do not store or know your master password. We use an industry-standard zero-knowledge architecture that ensures LastPass will never know or access our customers’ master passwords,” LastPass said.
“Password managers make it easy to use unique, strong passwords across multiple accounts, which is the first step to staying safe online,” said Tom Davison, senior director at Lockout. “However, if the master’s password is compromised or the password holder is used in some way, the impact can be very high.”
“Password managers can be a challenging but attractive target for a threat actor,” says Melissa Bishoping. Director, Endpoint Security Research Specialist at Tanium.
Fortunately, though, Davison said, “In this case, it doesn’t appear that user data or password vaults were compromised; however, the source code is confirmed to have been stolen, and attackers are looking hard to find vulnerabilities that could be exploited.”
According to Tuba, LastPass “has deployed containment and mitigation measures and engaged a leading cybersecurity and forensics firm.” And while the company continues to investigate, LastPass says it has “achieved containment, implemented additional enhanced security measures, and sees no further evidence of unauthorized activity.”
And the company is considering additional mitigation techniques aimed at strengthening environmental safety.
Sounds good, so far, right? But BleepingComputer, which broke the story, cited experts who said the company struggled to contain the breach, at least initially, and didn’t disclose the breach until the news outlet discovered it.
“No matter what companies do or how they try to prevent their source code from being leaked, it can still leak,” said Ajay Arora, co-founder and president of BluBracket. “That’s why it’s important that companies not only use tools to prevent source code leaks, but also prepare themselves for it.”
and Dispersive Holdings Inc. CEO Rajiv Pimplaskar described the LastPass incident as “an unfortunate continuation of the many similar MFA breaches we’ve seen over the past several weeks, proving that even strong authentication solutions are inadequate for a variety of reasons.”
Arora said that if source code is stolen or leaked, additional consequences can occur, including disclosure of secrets about the application’s architecture. This, he explained, “may reveal where certain data is stored and what other resources an organization uses.” These factors arm bad actors to cause further damage to an organization after the fact.
“This is a complex issue, and while we don’t typically look at another company’s breach, I think we can comment on the future of password security and password sanity,” Bishoping said.
“The conversation around passwordless authentication is gaining popularity, especially with big players like Microsoft and Google making adoption relatively painless,” Bishoping said. “If you are an existing LastPass customer, please continue to monitor their website and official communications for new instructions. Currently, LastPass does not identify anything that forces specific actions by end users. They are involved in mitigation efforts and incident response and internal investigations.
While there is no known breach of sensitive customer information and passwords, the breach “provides an opportunity to reassess your security posture as the scope of the breach expands or other breaches occur — this is true regardless of whether you use LastPass specifically or not,” Bschopping said. This may mean actively rotating passwords, temporarily switching to another password manager or password management service. Use multi-factor authentication, not just for your bank accounts and social media Especially For your LastPass or other password management solution. Many vendors, including LastPass, are offering and migrating to ‘passwordless’ logins that use advanced security technologies such as FIDO2 security keys. This reduces friction for end users and increases overall account security.
To protect their operations, organizations must first remove secrets such as passwords, credentials and API tokens from source code, Arora said, “followed by balancing productive access with unnecessary risk and monitoring any code that leaks.”
Davison advises LastPass users to “stay vigilant, monitor the news and watch for any unusual activity or login notifications on their account,” adding, “It’s really important to configure all the MFA settings provided by LastPass, including using Authenticator.” App Secure Logins (SMS has been shown to be vulnerable to SIM swap attacks).
“For most users, additional MFA authentication is done through a mobile device, so it’s important that it’s secure.”
For those hesitant to use a password manager because of the risk, Bishopping reiterated their price. “I think another important step is that the benefits of using a secure password management solution far outweigh the risk of a breach and/or the risk of a breach,” she says.
