LastPass Hacked, Portion of Source Code Stolen Following a Developer Account Breach
The theft of portions of the source code is the second cybersecurity incident LastPass suffered in nine months. The company has confirmed the breach.
Password management services provider LastPass suffered the theft of proprietary information after a hacker used a compromised developer account to access the company’s development environment. The incident compromised portions of the company’s source code and some proprietary technical information.
LastPass explained that the incident occurred a couple of weeks ago when the unknown hacker gained access to its systems through a breached developer account, alerting the password management company of unusual activity.
While customer data and passwords remain unaffected despite the break-in, LastPass said the hacker could steal the source code and other proprietary data, given the compromised account had access to the LastPass development environment.
The company said, “We have determined that an unauthorized party gained access to portions of the LastPass development environment through a single compromised developer account and took portions of source code and some proprietary LastPass technical information.”
Avishai Avivi, CISO at SafeBreach, explained to Spiceworks how the theft of the source code could be damaging in the future. He said, “Bad actors will want source code for the same reason bank robbers will want floor plans to a bank. Being able to understand how the particular software works can potentially help the malicious actor identify its weak points and ways of gaining entry.”
“This doesn’t, however, mean that access to the bank’s floor plan, or even being able to compromise one of the bank employees, necessarily means that any money will be stolen.”
LastPass’ encrypted vaults store customer passwords that can be decrypted only using the master password. The master passwords weren’t compromised, considering LastPass doesn’t store them and are accessed through the Zero Knowledge security model described in the image below:
LastPass Zero Knowledge Security Model | Source: LastPass
“Zero knowledge means that no one has access to your master password or the data stored in your vault, except you. Not even LastPass,” the company notes on its website. Late in 2021, LastPass was suggestively victimized in a credential stuffing attack, the kind PBKDF2 hashing from the flowchart above is used to thwart.
See More: Streaming Platform Plex Hit By Data Breach, Alerts Users To Reset Passwords
The previous attack, possibly carried out using the Redline Stealer, resulted in the compromise of the master passwords of some users. In his assessment of the Redline Stealer malware logs, security researcher Bob Diachenko noted, “Redline Stealer malware logs with more than 6M records were exposed online, publicly (now taken down). Internationally sourced data, exfiltrated in Sept and Aug 2021.”
Soon after that, LastPass VP of Engineering Gabor Angyal stated that they “have no indication that any LastPass accounts were compromised by an unauthorized third party as a result of these credential stuffing attempts, nor have we found any indication that user’s LastPass credentials were harvested by malware, rogue browser extensions, or phishing campaigns.”
LastPass is one of the most prominent password management companies, serving over 33 million users and over 100,000 business accounts, all of which were apprised of the incident through email.
However, the company didn’t provide any additional details about the initial access in the latest hack and whether it was caused by internal negligence/error or precisely what part of the source code was taken.
Avivi appreciated LastPass’ timely (came after two weeks) and transparent response. “Being a customer of LastPass, I received an email from them [LastPass] hours before the story became public. The email, I thought, was well worded, provided enough information, without disclosing too much.”
The same sentiment resonated with Javvad Malik, the lead security awareness advocate at KnowBe4. “LastPass did well to spot the intrusion into their dev environment, where most organizations probably would have missed it and it is commendable that they communicated the incident clearly to its customers,” Malik told Spiceworks.
“Maintaining clear communication and setting expectations is of key importance because it is what trust is built on, and password manager providers, like many security products, are built on trust. If people lose confidence in the security of the product, or the organization’s lack of transparency, that in itself can be more damaging than any actual breach.”
Tom Davison, senior director of engineering international at Lookout, prescribed caution besides multi-factor authentication as the breach in question, was in the source code, even if partial.
Davison told Spiceworks, “LastPass users should stay vigilant, follow the news and watch for any unusual activity or login notifications across their accounts. It is really important to configure all of the available MFA settings provided by LastPass, including the use of an authenticator app to secure logins (SMS has been shown to be vulnerable to SIM swap attacks).”
“For most users, additional MFA confirmations will be done via a mobile device – it is vital that this is secured too,” he added.
Let us know if you enjoyed reading this news on LinkedIn, Twitter, or Facebook. We would love to hear from you!
MORE ON CYBER INCIDENTS
