LastPass Hacked, Source Code, Proprietary Info Stolen

Bad actors hacked LastPass, the password management provider, this month, allowing them to steal source code and proprietary technical information.

Karim Toubba, LastPass’ CEO, addressed the incident in a blog. More than 33 million people around the world use LastPass.

LastPass’ Karim Toubba

“Two weeks ago, we detected some unusual activity within portions of the LastPass development environment,” he said. “After initiating an immediate investigation, we have seen no evidence that this incident involved any access to customer data or encrypted password vaults. We have determined that an unauthorized party gained access to portions of the LastPass development environment through a single compromised developer account and took portions of source code and some proprietary LastPass technical information. Our products and services are operating normally.”

LastPass deployed containment and mitigation measures, Toubba said. It also engaged a cybersecurity and forensics firm.

“While our investigation is ongoing, we have achieved a state of containment, implemented additional enhanced security measures, and see no further evidence of unauthorized activity,” he said. “Based on what we have learned and implemented, we are evaluating further mitigation techniques to strengthen our environment.”

No Customer Data Accessed

LastPass says its investigation has shown no evidence of any unauthorized access to customer data in its production environment. In addition, the incident didn’t compromise its customers’ master passwords. They are encrypted and stored on their device, and are used to securely access their vault and its contents.

Last December, LogMeIn spun off LastPass as a standalone company.

Tom Davison is senior director of Lookout.

Lookout’s Tom Davison

“Password managers make it really easy to use unique strong passwords across multiple accounts, which is a key first step to staying secure online,” he said. “However, if the master password is compromised, or the password vault somehow exploited, then the impact can be very high. Fortunately, it does not appear that user data or password vaults have been compromised in this case. However, source code was confirmed stolen and attackers will be looking hard for potential weaknesses to exploit.”

Users Should Stay Vigilant

Since LastPass was hacked, users should stay vigilant, Davidson said. They should follow the news and watch for any unusual activity or login notifications across their accounts.

“It is really important to configure all of the available multifactor authentication (MFA) settings provided by LastPass, including the use of an authenticator app to secure logins (SMS has been shown to be vulnerable to SIM swap attacks),” he said. “For most users, additional MFA confirmations will be done via a mobile device. It is vital that this is secured, too.”

David Lindner is Contrast Security‘s CISO.

Contrast Security’s David Lindner

“LastPass has been a prime target for malicious actors over the past few years,” he said. “This makes sense as LastPass holds the keys to the kingdom for millions of websites and applications. In this case of stolen source code, I would worry less about what’s in the code and more about where the malicious actor may have been or still is in my environment.”

‘Scary’ Prospect

Justin Vaughan-Brown is vice president of market insight at Deep Instinct.

Deep Instinct’s Justin Vaughan-Brown

“Stolen source code is a scary prospect for organizations,” he said. “And unfortunately, it opens the door potentially for further attacks on the business. Source code is part of a company’s intellectual property, and therefore holds massive value to cybercriminals. LastPass confirmed that an unauthorized party gained access and took portions of the source code.”

Threat actors who gain access to source code may be able to find the security vulnerabilities within the organization’s product, Vaughan-Brown said. This means cybercriminals are then able to exploit weaknesses within the network, which are unknown to the organization. Security incidents like LastPass being hacked demonstrate to organizations that it is more important than ever to start preventing cyberattacks.

“Far too many organizations rely on a reaction-and-mitigation approach when it comes to cybersecurity,” he said. “Endpoint detection and response (EDR) needs malware to execute in order to pick it up as malicious, at which point it could be already too late. For example, by the time a cyberattack has been detected, source code could have already been stolen. Organizations then usually end up seeing their data being bought and sold on the dark web, fuelling more heinous cybercrimes. It’s time we start to stop cyberattacks before they reach this point.”