LastPass Data Breach Results in Theft of Source Code

LastPass, the provider of the most popular password management solution in the world, announced a cyberattack and information breach. As reported by LastPass, there are about 30 million users of its password manager tool around the world, including 85,000 business customers. Notifications were sent to clients to notify them regarding the cyberattack and offer reassurances that although a number of company data were stolen because of the attack, users’ password vaults were not affected and the cyberattack did not result in any problems to its products or services.

Based on the notice released two weeks ago, LastPass found out that an unauthorized individual had acquired access to one programmer’s account, which allowed the attacker access to the LastPass creator’s environment. LastPass stated steps were quickly taken to control the attack and stop continuing unauthorized access, with the forensic investigation verifying the attackers stole sections of its source code and some exclusive LastPass technical data.

Just like the case with a lot of other password management tools, LastPass operates under the zero-knowledge model, meaning it got no access to its end users’ encrypted password vaults. Only individual end users could access their password vaults using the master password and doing multi-factor authentication validations (if MFA is enabled). Karim Toubba, LastPass CEO, mentioned that there’s no evidence that the incident permitted any access to end user information or encrypted password vaults, thus, users don’t have to alter their master passwords.

LastPass stated it is presently analyzing further mitigation methods and will be taking steps to reinforce the protection of its environment. This is not LastPass’ first experience of a cyberattack. In 2015, the company encountered an attack in which hackers had obtained the usernames of selected customers, along with their hashed master passwords. LastPass enforced a password reset as a preventative measure. Since only hashed passwords were stolen, just the end users who had set weak master passwords were at risk.

LastPass users were also targeted in a credential stuffing campaign. LastPass cautioned its users in late 2021 that it had discovered strange, attempted login activity and had seen a slight increase in security notifications associated with user accounts. The investigation affirmed this was because of credential stuffing attacks, where threat actors utilize usernames and passwords compromised in third-party data breaches to try to get access to accounts on other systems. These attacks can just succeed when passwords are reused on multiple accounts. When a unique master password is employed for an account, it will be safeguarded against credential stuffing attacks.

Cyberattacks on password managers are fairly unusual and though such an attack can possibly permit a threat actor to gain access to a user’s password vault, password managers remain recommended and could significantly enhance password security. All end users of password managers ought to make sure they pick a long, complicated, and unique password or passphrase for their password manager account. They should use multi-factor authentication. For even more security, consider utilizing the secure password manager’s username generator, when that feature is available.