Not again. Password management service confirms hackers stole source code and technical data, but insists customer data was not compromised
Password management service LastPass is once again at the centre of a security scare, after it confirmed a recent ‘security incident.’
LastPass confirmed a data breach on Thursday in a blog post in which it admitted the hackers had stolen source code and other technical data.
But it insisted that its prized data – namely its customer data and their encrypted password vaults – had not been compromised.
“Two weeks ago, we detected some unusual activity within portions of the LastPass development environment,” the firm stated. “After initiating an immediate investigation, we have seen no evidence that this incident involved any access to customer data or encrypted password vaults.”
LastPass said that “unauthorised party” had gained access to portions of its development environment through a single compromised developer account. The hacker apparently “took portions of source code and some proprietary LastPass technical information.”
The firm said its products and services are operating normally.
“In response to the incident, we have deployed containment and mitigation measures, and engaged a leading cybersecurity and forensics firm,” said the firm. “While our investigation is ongoing, we have achieved a state of containment, implemented additional enhanced security measures, and see no further evidence of unauthorised activity.”
It said that based on what it had learned and implemented, it is evaluating further mitigation techniques to strengthen its environment.
LastPass thanked its users for their “patience, understanding and support.”
But this is not the first time that LastPass has been compromised.
In January 2016 a security researcher (Sean Cassidy) cast doubts on the security of LastPass when he claimed he had discovered a way of gaining login credentials, and even a two factor authentication code, through a phishing attack.
Cassidy went public and publish his exploit on Github after notifying the firm two months previously, but he was not satisfied by their response.
Prior to that in June 2015, LastPass suffered a major data breach, in which the stolen data could have allowed hackers to guess weak master passwords.
The company said at the time that as a precaution it was prompting all users to change their master passwords.
Third-party passwords stored with LastPass were not affected at the time.
Source code theft
Now over five years after these previous breaches, the fact that LastPass had admitted that some of its source code has been stolen has prompted a response from Justin Vaughan-Brown, VP market insight at cybersecurity specialist Deep Instinct.
“Stolen source code is a scary prospect for organisations, and unfortunately, it opens the door potentially for further attacks on the business,” noted Vaughan-Brown. “Source code is part of a company’s intellectual property, and therefore holds massive value to cyber criminals. LastPass confirmed that an unauthorised party gained access and took portions of the source code.
“Threat actors who gain access to source code may be able to find the security vulnerabilities within the organisation’s product,” said Vaughan-Brown. “This means that cyber criminals are then able to exploit weaknesses within the network, which are unknown to the organisation. Security incidents like this show to organisations that it is more important than ever to start preventing cyberattacks.”
“Far too many organisations rely on a reaction and mitigation approach when it comes to cybersecurity,” Vaughan-Brown added. “Endpoint detection and response (EDR), needs malware to execute in order to pick it up as malicious, by which point it could be already too late.”
“For example, by the time a cyberattack has been detected, source code could have already been stolen,” said Vaughan-Brown. “Organisations then usually end up seeing their data being bought and sold on the dark web, fuelling more heinous cybercrimes. It’s time we start to stop cyberattacks before they reach this point.”
“Businesses need to start looking towards proactive and preventative mindset that stop cyberattacks before they breach the network, “ said Vaughan-Brown. “It’s time to put cybercriminals out of business once and for all by showing them that we can stop their criminal acts before they have time to cause any damage.”