LastPass logo

Source code of password manager LastPass stolen by attacker

In a security incident notice from LastPass the company informed the public know that an unauthorized party gained access to portions of the LastPass development environment through a single compromised developer account. There is no evidence that this incident involved any access to customer data or encrypted password vaults.

LastPass

LastPass offers a password manager which is reportedly used by more than 33 million people and 100,000 businesses around the world. A password manager is a software application designed to store and manage online credentials. It also generates strong passwords. Usually, these passwords are stored in an encrypted database and locked behind a master password.

Stolen passwords

Because of the nature of their business, a breach notification naturally worries people that the passwords they stored in their password manager may have been leaked or compromised. And indeed here was some speculation on social media that hackers may be able to access the keys to password vaults after stealing source code and proprietary information.

Since your individual passwords are encrypted and locked behind a master password that even LastPass does not know, this worry seems unjustified. In December of 2021, LastPass users reported that their master passwords were compromised after receiving email warnings that someone tried to use them to log into their accounts from unknown locations and devices. LastPass determined that these were the result of a credential stuffing attack. Credential stuffing is a special type of brute force attack where the attacker uses existing username and password combinations, usually ones that were stolen in a data breach on another service.

Random generated passwords

Depending on the source code that was stolen there could be reason to worry about random generated passwords. Since computer systems are unable to come up with truly random numbers, having access to the source code might make it possible to predict the “random” generated passwords.

While that may seen far-fetched, a determined attacker with enough background knowledge about the circumstances under which the password was generated, for example length of the password, date of creation, username and/or email address, which elements are allowed and required, etc., might be able to brute force the password with a lot less guesses, if they know how the randomization part of the password creation is coded in the software.

What to do?

In response to the incident, LastPass deployed containment and mitigation measures, and engaged a leading cybersecurity and forensics firm. While the investigation is ongoing, they have achieved a state of containment, implemented additional enhanced security measures, and see no further evidence of unauthorized activity. 

If you haven’t done so already it is advisable to enable multi-factor authentication (MFA) on your LastPass accounts so that threat actors won’t be able to access your account even if your password is compromised. The instructions to enable MFA can be found on the LastPass Support pages.

We will keep you posted here if there are any updates to the story.

ABOUT THE AUTHOR

Pieter Arntz

Malware Intelligence Researcher

Was a Microsoft MVP in consumer security for 12 years running. Can speak four languages. Smells of rich mahogany and leather-bound books.