LastPass Admits Hackers Stole Source Code, Proprietary Tech Info

The last thing any company that makes its living from security wants is a security incident, but LastPass has confirmed that hackers penetrated the defenses of its development environment two weeks ago to steal its source code.

“We have determined that an unauthorized party gained access to portions of the LastPass development environment through a single compromised developer account and took portions of source code and some proprietary LastPass technical information,” the password management firm’s CEO Karim Toubba said in an advisory to customers.

Toubba assured customers that an investigation was initiated immediately after unusual activity was detected and found “no evidence that this incident involved any access to customer data or encrypted password vaults.”  The breach occurred within the company’s development environment and its zero-knowledge model allows only a customer to have access to data in the decrypt vault.

Nor were master passwords compromised, according to an FAQ provided by the company. “We never store or have knowledge of your master password. We utilize an industry-standard zero-knowledge architecture that ensures LastPass can never know or gain access to our customers’ master passwords,” LastPass said.

“Password managers make it really easy to use unique strong passwords across multiple accounts, which is a key first step to staying secure online,” said Tom Davison, senior director at Lookout. “However, if the master password is compromised, or the password vault somehow exploited, then the impact can be very high.”

“Password managers would be a challenging but attractive target for a threat actor, as they unlock—quite literally—a treasure trove of access to hundreds of thousands of accounts and sensitive customer data in an instant if they are breached,” said Melissa Bischoping, director, endpoint security research specialist at Tanium.

Fortunately, though, Davison said, “it does not appear that user data or password vaults have been compromised in this case; however, source code was confirmed stolen and attackers will be looking hard for potential weaknesses to exploit.”

Toubba said LastPass has “deployed containment and mitigation measures and engaged a leading cybersecurity and forensics firm.” And while the company will continue to investigate, he said, LastPass has “achieved a state of containment, implemented additional enhanced security measures and sees no further evidence of unauthorized activity.”

And the company is considering additional mitigation techniques meant to bolster the security of its environment.

Sounds good, so far, right? But BleepingComputer, which broke the story, cited experts who contended the company struggled to contain the breach, at least initially, and didn’t disclose the breach until after it was contacted by the news outlet.

“No matter what companies do or how they may try to prevent their source code from leaking, it can still leak,” said Ajay Arora, co-founder and president at BluBracket. “This is why it’s crucial that companies not only use tools that help prevent the source code from leaking, but that they also prepare themselves for that eventuality.”

And Rajiv Pimplaskar, CEO of Dispersive Holdings, Inc., called the LastPass incident “a disappointing continuation of many similar MFA breaches we have seen over the course of past several weeks that validate that even strong authentication solutions are not enough for various reasons.”

Arora noted that additional consequences can occur from stolen or leaked source code including the disclosure of secrets about an application’s architecture. This, he explained, “may reveal information about where certain data is stored and what other resources an organization may use. These factors could then equip bad actors to inflict additional harm on an organization after the fact.”

Noting that “this is a complex issue, and while we don’t typically weigh in on another company’s breach, I think we can comment on the future of password security and password hygiene,” ” Bischoping said.

“The conversation around passwordless authentication is gaining in popularity, especially with the big players like Microsoft and Google making it relatively painless to adopt,” Bischoping said. “If you’re an existing LastPass customer, continue to monitor their website and official communications for new guidance. Currently, LastPass has not identified anything that would necessitate specific actions by end users. They are engaging in mitigation efforts and incident response and investigation internally.”

While there is no known breach of customers’ sensitive data and passwords, the breach “does offer an opportunity to evaluate your security posture in the event the scope of the breach expands or other breaches happen in the future—this is true regardless of if you use LastPass specifically or not,” Bischoping said. “This may mean proactively rotating passwords, temporarily switching to another password manager or password management service. Use multi-factor authentication for not just your bank accounts and social media, but especially for your LastPass or other password management solution. Many providers, including LastPass, are offering and migrating to ‘passwordless’ logins which use more advanced security technologies such as FIDO2 security keys.  This reduces friction for end-users and increases the overall account security.”

To secure their operations, organizations should first eliminate secrets such as passwords, credentials and API tokens in source code, Arora said, “followed by balancing productive access against unnecessary risk, and then tracking for any leaked code.”

Davison advised LastPass users to “stay vigilant, follow the news and watch for any unusual activity or login notifications across their accounts,” noting “it is really important to configure all of the available MFA settings provided by LastPass, including the use of an authenticator app to secure logins (SMS has been shown to be vulnerable to SIM swap attacks).”

Since additional MFA confirmations will be done via a mobile device for most users, “it is vital that this is secured, too.”

For those hesitant to use a password manager because of the risk involved, Bischoping reiterated their value. “I think another important takeaway is that the benefits of using a secure password management solution often far outweigh the risks of a potential breach and/or what that breach may make accessible,” she said. “When layered with the other security recommendations, it’s still one of the best solutions to prevent credential theft and associated attacks.”