With the average professional now juggling about 100 different login credentials, password managers are becoming an increasingly common security tool. LastPass is one of the largest on the market, with over 33 million individual users. A recent security breach at the company does not appear to be an immediate threat to the encrypted vaults that customers use to store their passwords, but the hackers may have made off with source code and proprietary information.
Security breach at LastPass not a direct threat to customer credentials, but nature of stolen information remains unknown
LastPass issued notice of the security breach on August 25. The company said that it had detected unusual activity in its password manager development environment two weeks prior and had traced it back to a single compromised developer account. The investigation did not turn up any illicit access to the encrypted password vaults or customer credentials, but did apparently provide the attacker with “portions of source code” and some amount of “proprietary technical information.”
The LastPass announcement stressed that the security breach could not have compromised customer “Master Passwords” due to the password manager’s “Zero Knowledge” architecture, which does not store these credentials on a company server. The wording of the announcement indicated that the development environment is separate from the architecture used to handle encrypted vault data. The company is not currently recommending that its password manager customers take any special action in response to the security breach.
LastPass also did not make mention of any new security measures being added in response to the breach. It reiterated its list of existing practices such as annual penetration testing, its bug bounty program and free regular dark web monitoring for the appearance of password manager credentials.
Password managers offer sound credential and data security, but theft of source code is concerning
In terms of handling user login credentials and stored data, LastPass appears to be doing everything right to minimize the impact of such a security breach. The hacker would not be able to get at locally-stored master passwords, and the encrypted vaults are secured with strong encryption protocols.
The part that might cause concern is the fact that source code was stolen, particularly as the password manager has opted not to share specific details about what made it out the door. LastPass has been compromised before, in a December 2021 security breach that did see master passwords potentially stolen. The attack was not detected until customers of the password manager started seeing notifications that an attempt to log in with their valid master password from a foreign country was blocked due to the unfamiliar location; some unlucky customers took to social media to report that the attackers managed to get in. However, LastPass claimed that this was a bot campaign conducted using combinations of email addresses and passwords leaked in other data breaches; the attackers were simply hitting customers that had re-used an email/password combination that had been compromised at some other site.
There is confusion about how accurate this claim is, however, as some password manager customers claimed that they continued to receive alerts about foreign login attempts with valid credentials after they had changed their master passwords. There was a prior security breach incident in 2019 in which LastPass detected and patched out a security vulnerability in the password manager’s Chrome extension that could have allowed a remote attacker to capture credentials. Incidents such as these highlight the main source of concern about the theft of source code and proprietary information; that something in the stolen information could lead attackers right to a similar exploitable vulnerability.
Ajay Arora, Co-Founder and President at BluBracket, named some of the possibilities: “Some steps that companies can take to help secure their organization involve first eliminating secrets such as passwords, credentials and API tokens in source code, followed by balancing productive access against unnecessary risk, and then tracking for any leaked code.”
LastPass offers multi-factor authentication (MFA) for additional account security, but that might not protect against every possible avenue of attack that internal information could reveal. As Tom Davison (Senior Director at Lookout) notes, MFA also requires some additional technical knowledge to set up properly: “LastPass users should stay vigilant, follow the news and watch for any unusual activity or login notifications across their accounts. It is really important to configure all of the available MFA settings provided by LastPass, including the use of an authenticator app to secure logins (SMS has been shown to be vulnerable to SIM swap attacks). For most users, additional MFA confirmations will be done via a mobile device – it is vital that this is secured too.”
Potential impact on business accounts
There is also the possibility of a “cascading” attack on other websites and businesses via their own internal administrative accounts, as LastPass counts a number of major businesses among their customers: State Farm, Patagonia and Yelp among them, with the company claiming that it has over 100,000 business accounts in total.
Password managers have become an almost requisite tool for some professionals given the amount of logins they are expected to manage, all of which should ideally have unique passwords. However, the prior LastPass security breach illustrates that some people will still re-use email and password combinations for their master password even when doing so defeats the purpose of the entire exercise; the solution in that case is more end user training and added layers of defense that assume an initial account compromise will eventually happen.
Hemant Kumar, Founder and CEO of Enpass, additionally points out that other types of password managers reduce the security breach risk by entirely storing data between user devices and their own choice of personal cloud storage account: “Developer systems are generally isolated from DevOps and production environments. But if the system has access to the production environment, the situation can have consequences … Local/offline password managers such as Enpass do not store users’ data on any one centralized server. Users select their own trusted cloud accounts like iCloud, OneDrive, Google Drive or keep their data local, discouraging hackers.”
