LastPass attackers steal source code, no evidence users' passwords compromised

Image

LastPass, the popular password manager used by millions of people around the world, has announced that it suffered a security breach two weeks ago that saw attackers break into its systems and steal information.

But don't panic just yet - that doesn't mean that all of your passwords are now in the hands of internet criminals. Although the breach is clearly not good news, the company says that there is no evidence that the attackers were able to access customer data or encrypted password vaults.

In a blog post revealing the security incident, LastPass CEO Karim Toubba announced that two weeks ago the company detected "some unusual activity within portions of the LastPass development environment."

"We have determined that an unauthorized party gained access to portions of the LastPass development environment through a single compromised developer account and took portions of source code and some proprietary LastPass technical information. Our products and services are operating normally."

In a brief FAQ the company addresses questions that will probably be foremost in the minds of its approximately 25 million users. Here's my executive summary.

1. Has my Master password or the Master Password of my users been compromised?

No. LastPass doesn't store users' master passwords. If you never store or have knowledge of a piece of data, and can't access it yourself, then it also can't be stolen from you.

2. Has any data within my vault or my users’ vaults been compromised?

No. LastPass says that the incident occurred in its development environment, and has seen no evidence of any unauthorised access to encrypted vault data. Again, you can hear the sigh of relief from LastPass users who might have been concerned that their passwords might have fallen into the wrong hands. The benefit of LastPass's zero-knowledge architecture is that only customers have the access to decrypt password vault data.

3. Has any of my personal information or the personal information of my users been compromised?

No. LastPass says it has seen no evidence of any unauthorised access to customer data in its production environment. It doesn't explicitly state so, but one hopes that it was not using real customer data in its development environment.

4. What should I do to protect myself and my vault data?

Nothing. For now, LastPass isn't recommending any courses of action for its users, because it doesn't feel that there are any steps that users need to take. It does remind users to follow best practices when it comes to setting up and configuring their LastPass account, but that would have made sense even before the security breach occurred.

This isn't the first time that LastPass has suffered a security breach.

For instance, in 2015 the company advised users to change their LastPass master passwords after account email addresses, password reminders, server per user salts, and authentication hashes were compromised.

And in 2011 I was impressed with how LastPass responded after it discovered attackers had managed to access data on its servers.

In those incidents, LastPass was open and transparent about what had occurred and took steps to reassure its customer base that it took the problems seriously.

If what LastPass is saying about this latest breach is correct - that a single developer's account was compromised and that users' data was not put at risk - then that actually could be viewed as some reassurance that the fundamental zero-knowledge architecture of their password management solution works as intended.

Unless we hear otherwise (and it would be good in due course to hear more about the developer's account was compromised, and what LastPass is doing to ensure that doesn't happen again), then it does not sound as if there is any need for users to panic.

Editor’s Note: The opinions expressed in this guest author article are solely those of the contributor, and do not necessarily reflect those of Tripwire, Inc.