Hackers Steal Portions Of LastPass Source Code But Don't Panic Says Company
The password manager LastPass has published a blog post notifying users of a recent data breach. According to the CEO, Karim Toubba, the breach affected parts of the company’s development environment but did not touch any databases containing user data or passwords. Rather than stealing user information, it seems that the threat actor behind this breach instead stole portions of LastPass source code, as well as some proprietary technical information. We’ll have to see whether the thief comes forward to publish this stolen information, either for sale or as part of an extortion scheme.
LastPass identifies a single compromised developer account as the source of the breach. However, the company doesn’t reveal how the threat actor gained unauthorized access to this account. LastPass became aware of the breach after detecting some unusual activity in its development environment two weeks ago, at which point the company immediately launched an investigation. LastPass has yet to conclude its investigation, but it hasn’t found evidence of any unauthorized access beyond the scope of the initial breach.
LastPass has responded to this incident by increasing its security, using this breach as an opportunity to learn. The company is using information gleaned from its investigation to assess the state of its security practices and consider what further measures it could implement. As it stands, even if the threat actor had gained access to users’ password vaults, users’ passwords would remain protected, as LastPass stores user passwords with zero-knowledge encryption. Even authorized LastPass employees couldn’t access user passwords if they wanted to do so. The same goes for users’ master passwords.
Some LastPass users’ master passwords were compromised as recently as December of last year. However, it turned out that there was no data breach involved in that attack. The threat actor instead carried out credential stuffing attack against some of LastPass’ users. A credential stuffing attack takes login credentials compromised in other data breaches and plugs them into another service in the hopes that some users re-used the same username and password. As it turned out, some LastPass users had re-used previously compromised login credentials, and the attacker was able to gain access to these accounts. This credential stuffing attack stands as a warning against re-using passwords, particularly when it comes to a password manager master password.
LastPass identifies a single compromised developer account as the source of the breach. However, the company doesn’t reveal how the threat actor gained unauthorized access to this account. LastPass became aware of the breach after detecting some unusual activity in its development environment two weeks ago, at which point the company immediately launched an investigation. LastPass has yet to conclude its investigation, but it hasn’t found evidence of any unauthorized access beyond the scope of the initial breach.
LastPass has responded to this incident by increasing its security, using this breach as an opportunity to learn. The company is using information gleaned from its investigation to assess the state of its security practices and consider what further measures it could implement. As it stands, even if the threat actor had gained access to users’ password vaults, users’ passwords would remain protected, as LastPass stores user passwords with zero-knowledge encryption. Even authorized LastPass employees couldn’t access user passwords if they wanted to do so. The same goes for users’ master passwords.
Some LastPass users’ master passwords were compromised as recently as December of last year. However, it turned out that there was no data breach involved in that attack. The threat actor instead carried out credential stuffing attack against some of LastPass’ users. A credential stuffing attack takes login credentials compromised in other data breaches and plugs them into another service in the hopes that some users re-used the same username and password. As it turned out, some LastPass users had re-used previously compromised login credentials, and the attacker was able to gain access to these accounts. This credential stuffing attack stands as a warning against re-using passwords, particularly when it comes to a password manager master password.
