LastPass Suffers Data Breach, Source Code Stolen

Researchers warned that cyberattackers will be probing the code for weaknesses to exploit later.

Abstract with computer code
Source: Carlos Castilla via Alamy Stock Photo

Cyberattackers have compromised the internal systems of LastPass, making off with source code and intellectual property.

The password management company said it detected anomalous activity in its development environment two weeks ago. After digging into the forensic data, investigators determined that someone (or someones) compromised a developer account to gain access to the network, taking "portions of source code and some proprietary LastPass technical information," according to an announcement posted this week.

Crucially, the adversaries weren't able to access customer data or encrypted password vaults.

"We utilize an industry-standard 'zero-knowledge' architecture that ensures LastPass can never know or gain access to our customers' Master Password [and it] ensures that only the customer has access to decrypt vault data," according to LastPass.

That said, Ajay Arora, co-founder and president at BluBracket, noted that attackers will be looking hard for potential weaknesses to exploit in the LastPass source code, potentially leading to follow-on attacks.

"An additional consequence that can occur from stolen or leaked source code is that this code can disclose secrets about an application's architecture," he said via an emailed statement. "This may reveal information about where certain data is stored and what other resources an organization may use. These factors could then equip bad actors to inflict additional harm on an organization after the fact."

Tom Kellermann, senior vice president of cyber strategy at Contrast Security, also said in a statement that the attackers could have been probing around to see if they could find an avenue into LastPass partner or supplier networks.

“Cybersecurity companies are being targeted to facilitate island hopping," he said. "After the FireEye breach, the industry should have woken up. In 2022, cybersecurity companies must practice what they preach. Many still underinvest in their own cybersecurity. Expect to be hit and prepare to respond.”

About the Author

Tara Seals, Managing Editor, News, Dark Reading

Tara Seals has 20+ years of experience as a journalist, analyst and editor in the cybersecurity, communications and technology space. Prior to Dark Reading, Tara was Editor in Chief at Threatpost, and prior to that, the North American news lead for Infosecurity Magazine. She also spent 13 years working for Informa (formerly Virgo Publishing), as executive editor and editor-in-chief at publications focused on both the service provider and the enterprise arenas. A Texas native, she holds a B.A. from Columbia University, lives in Western Massachusetts with her family and is on a never-ending quest for good Mexican food in the Northeast.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like


More Insights