LastPass Data Breach Results in Source Code Theft

LastPass, the company offering the most widely used password management solution worldwide, reported a cyberattack and security breach. As per LastPass, there are close to 30 million users of its password manager tool globally, which include 85,000 business clients. Notifications were sent to users to advise them concerning the cyberattack and give reassurances that although certain company data was stolen during the attack, users’ password vaults weren’t impacted and the cyberattack didn’t bring about any trouble to its services or products.

As per the notice presented 2 weeks ago, LastPass uncovered that an unauthorized person had obtained access to one developer’s account, which allowed the attacker access to the LastPass programmer’s environment. LastPass stated steps were taken right away to restrict the attack and avert more unauthorized access, with the forensic investigation validating the attackers stole parts of its source code and certain private LastPass technical details.

Much like the case with lots of other password management options, LastPass uses the zero-knowledge model, which means it doesn’t have access to its users’ encrypted password vaults. Only individual users could access their password vaults utilizing the master password and completing multi-factor authentication verifications (if MFA is activated). Karim Toubba, LastPass CEO, mentioned that there’s no proof that the breach permitted any access to user information or encrypted password vaults, hence, users don’t need to modify their master passwords.

LastPass explained it is already assessing further mitigation strategies and will be taking action to improve the safety of its environment. This isn’t LastPass’ first encounter of cyberattack. In 2015, the organization suffered an attack wherein attackers had acquired the usernames of a number of customers, together with their hashed master passwords. LastPass required a password reset as a safety measure. Because only hashed passwords had been stolen, just the end users who had used weak master passwords were vulnerable.

LastPass users were likewise attacked during a credential stuffing campaign. LastPass notified its users at the end of 2021 that it had noticed abnormal, login attempts and had recognized a small increase in security warnings linked to user accounts. The investigation proved this was caused by credential stuffing attacks, in which threat actors employ usernames and passwords exposed in third-party data breaches to attempt to obtain access to accounts on other programs. These attacks can only be successful when passwords are used again on several accounts. In case a unique master password is utilized for an account, it is going to be secured against credential stuffing attacks.

Cyberattacks on password managers are somewhat rare and though such an attack can likely allow a threat actor to acquire access to a customer’s password vault, password managers continue to be recommended and could considerably increase password security. All end users of password managers must make certain they select a lengthy, difficult, and unique passphrase or password for their password manager account. They need to establish multi-factor authentication. For even better security, think about making use of the safe password manager’s username generator, in case that function is provided.

Twitter Facebook LinkedIn Reddit Copy link Link copied to clipboard
Photo of author

Posted by

Mark Wilson

Mark Wilson is a news reporter specializing in information technology cyber security. Mark has contributed to leading publications and spoken at international forums with a focus on cybersecurity threats and the importance of data privacy. Mark is a computer science graduate.