searchtwitterarrow rightmail strokearrow leftmail solidfacebooklinkedinplusangle upmagazine plus
Help Net Security - Daily information security news with a focus on enterprise security.
Help Net Security - Daily information security news with a focus on enterprise security.
  • News
  • Features
  • Expert analysis
  • Videos
  • Reviews
  • Events
  • Whitepapers
  • Industry news
  • Product showcase
  • Newsletters
Zeljka Zorz
Zeljka Zorz, Editor-in-Chief, Help Net Security
August 26, 2022
Share

LastPass breach: Source code, proprietary tech info stolen

“An unauthorized party gained access to portions of the LastPass development environment through a single compromised developer account and took portions of source code and some proprietary LastPass technical information,” the makers of the popular password manager LastPass announced on Thursday, but reassured users that the Master Passwords securing their password vaults are safe.

What happened?

LastPass says that they detected the breach two weeks ago, but that they haven’t (to this date) discovered evidence of the attacker gaining access to customer data in their production environment or encrypted password vaults.

“This incident did not compromise your Master Password. We never store or have knowledge of your Master Password. We utilize an industry standard Zero Knowledge architecture that ensures LastPass can never know or gain access to our customers’ Master Password,” the company added.

The attacker apparently got in by compromising a developer account. How, exactly? LastPass hasn’t shared.

The company is sending out emails to notify users of the breach, but is not requiring them to change their Master Password. Nevertheless, they are urging users to follow security best practices to keep their accounts secure. These practices involve keeping devices updates, using strong, unique passwords, and setting up multifactor authentication (MFA) for additional security.

Unfortunately, it’s impossible to predict how the stolen source code and technical information will end up being used by attackers. There is the possibility of it helping attackers to discover vulnerabilities that can be exploited to compromise accounts.

In the past 5-6 years, several vulnerabilities in LastPass and its extensions were flagged by Google researcher Tavis Ormandy.

UPDATE (September 19, 2022, 03:45 a.m. ET):

LastPass has completed the investigation and confirmed that the threat actor’s activity was limited to a four-day period in August 2022 and they did not access any customer data or encrypted password vaults.

“In order to validate code integrity, we conducted an analysis of our source code and production builds and confirm that we see no evidence of attempts of code-poisoning or malicious code injection. Developers do not have the ability to push source code from the Development environment into Production. This capability is limited to a separate Build Release team and can only happen after the completion of rigorous code review, testing, and validation processes,” they added.

More about
  • account hijacking
  • data breach
  • LastPass
Share this

Featured news

  • Detecting face morphing: A simple guide to countering complex identity fraud
  • How to best allocate IT and cybersecurity budgets in 2023
  • Samsung, Vivo, Google phones open to remote compromise without user interaction
How to protect online privacy in the age of pixel trackers

Sponsored

Webinar: Tips from MSSPs to MSSPs – starting a vCISO practice

Security in the cloud with more automation

CISOs struggle with stress and limited resources

How to scale cybersecurity for your business

Don't miss

How to protect online privacy in the age of pixel trackers

Detecting face morphing: A simple guide to countering complex identity fraud

How to best allocate IT and cybersecurity budgets in 2023

Samsung, Vivo, Google phones open to remote compromise without user interaction

SVB account holders targeted with phishing, scams

Cybersecurity news
Help Net Security - Daily information security news with a focus on enterprise security.
© Copyright 1998-2023 by Help Net Security
Read our privacy policy | About us | Advertise
Follow us