LastPass, one of the world’s most popular password managers, has confirmed it has been hacked and portions of its source code have been stolen.
Password managers are a must these days. The average person has around 100 passwords (NordPass), so remembering all of those passwords would be impossible without taking some shortcuts that compromise security. The easiest solution is to use a password manager. With a password manager, passwords do not need to be remembered as they are auto-filled whenever they are needed. One of the fears of using a password manager is that if the password manager is hacked, every password could be compromised. However, since passwords are encrypted in a personal password vault, hackers would not be able to access the passwords. That said, hacking incidents at password manager companies do occur. LastPass was hacked in June 2015 and has now confirmed that it has been hacked again.
In June 2015, users were advised to update their master passwords after the hack, but LastPass has not taken that decision this time as the company said no evidence was found to indicate any customer data was accessed or stolen, and users’ encrypted password vaults were not affected. LastPass CEO, Karim Toubba, said a developer account was compromised two weeks prior to the announcement, and “portions of source code and some proprietary LastPass technical information,” were stolen. LastPass said it worked quickly to contain the attack and deployed containment and mitigation measures and a leading cybersecurity and forensics firm was engaged to investigate the nature and scope of the attack. The investigation into the breach is ongoing but LastPass has confirmed that it has not seen any further evidence of unauthorized activity.
It would seem that the 33 million or so LastPass users and 100,000 businesses the company claims to serve can breathe a sigh of relief, but questions remain about exactly what was stolen, such as the extent to which its source code was compromised and the nature of the proprietary technical information was accessed and exfiltrated. LastPass did not disclose how the attack occurred and how the developer account was compromised. One hopes it was not through password reuse or the setting of a weak password. It was a credential stuffing attack that allowed the June 2015 breach to occur, and in that attack, some master passwords were compromised.
Current users of LastPass that are uneasy about the two hacking incidents should ensure that multi-factor authentication is implemented on their account and they could also change their master password for added peace of mind; however, as LastPass said in its breach notice, “We never store or have knowledge of your Master Password. We utilize an industry-standard Zero Knowledge architecture that ensures LastPass can never know or gain access to our customers’ Master Password.”