Share news article

Share on facebook
Share on twitter
Share on linkedin
Share on email

LastPass Suffers Data Breach, Source Code Stolen

Cyberattackers have compromised the internal systems of LastPass, making off with source code and intellectual property.

The password management company said it detected anomalous activity in its development environment two weeks ago. After digging into the forensic data, investigators determined that someone (or someones) compromised a developer account to gain access to the network, taking “portions of source code and some proprietary LastPass technical information,” according to an announcement posted this week.

Crucially, the adversaries weren’t able to access customer data or encrypted password vaults.

“We utilize an industry-standard ‘zero-knowledge’ architecture that ensures LastPass can never know or gain access to our customers’ Master Password [and it] ensures that only the customer has access to decrypt vault data,” according to LastPass.

That said, Ajay Arora, co-founder and president at BluBracket, noted that attackers will be looking hard for potential weaknesses to exploit in the LastPass source code, potentially leading to follow-on attacks.

“An additional consequence that can occur from stolen or leaked source code is that this code can disclose secrets about an application’s architecture,” he said via an emailed statement. “This may reveal information about where certain data is stored and what other resources an organization may use. These factors could then equip bad actors to inflict additional harm on an organization after the fact.”

Tom Kellermann, senior vice president of cyber strategy at Contrast Security, also said in a statement that the attackers could have been probing around to see if they could find an avenue into LastPass partner or supplier networks.

“Cybersecurity companies are being targeted to facilitate island hopping,” he said. “After the FireEye breach, the industry should have woken up. In 2022, cybersecurity companies must practice what they preach. Many still underinvest in their own cybersecurity. Expect to be hit and prepare to respond.”

Keep up with the latest cybersecurity threats, newly-discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.


Related News

Ferrari Discloses Ransomware Attack; Refuses to Pay Ransom

Ferrari Discloses Ransomware Attack; Refuses to Pay Ransom

Ferrari, the renowned Italian luxury car manufacturer, suffered a cyber incident that compromised the company’s client data. According to a…
ChatGPT Bug Exposes Conversation History Titles

ChatGPT Bug Exposes Conversation History Titles

A ChatGPT user on Reddit first reported the bug after noticing Chinese language characters in the title of their conversation…
Breach Forums to Remain Offline Permanently

Breach Forums to Remain Offline Permanently

The decision to shut down the Breach Forums came after the admin noticed someone had logged into an old forum…