LastPass hacked (again): What devs can learn

Richi Jennings
Blog Author

Richi Jennings, Independent industry analyst, editor, and content strategist. Read More...


The latest LastPass hack: Bad actors stole source code and other secrets from the huge password-manager firm’s dev environment. But not, it stresses, anyone’s passwords — as far as it can tell.

The moral of the story? Devs should never rely on security by obscurity. Always assume you have unknown “CVSS 10.0” bugs and operate a defense-in-depth strategy. Imagine hackers already have your code, as if it was open source.

What a mess. And it’s not the first time. In this week’s Secure Software Blogwatch, we put all our eggs in one basket.

Your humble blogwatcher curated these bloggy bits for your entertainment. Not to mention: Space-filling curves.

LastChance for its reputation?

What’s the craic? Lawrence Abrams reports — “LastPass developer systems hacked to steal source code”:

33 million people and 100,000 businesses
LastPass was hacked [three] weeks ago, enabling threat actors to steal the company's source code and proprietary technical information. The disclosure comes after [I] learned of the breach from insiders.

LastPass [confirmed] it was breached through a compromised developer account. … Sources [say] employees were scrambling to contain the attack.

Over 33 million people and 100,000 businesses … use the company's software to store their passwords securely [so] there are always concerns that if the company was hacked it could allow threat actors access to stored passwords. … It is vital to enable multi-factor authentication on your LastPass accounts so that threat actors won't be able to access your account even if your password is compromised.

Are you feeling any déjà vu? Steven J. Vaughan-Nichols tells us why — “LastPass was hacked — again”:

Significant, annual security problems
This isn't the first time LastPass has had security problems. In 2021, it appeared that some users' LastPass Master Passwords may have been revealed. LastPass replied that it hadn't been breached, but users … weren't convinced.

In 2020, LastPass had a major outage, and users reported they couldn't log into their accounts or autofill passwords. In 2019, a significant LastPass security problem was uncovered by security researchers.

It's still concerning that the biggest password security company … has significant, annual security problems. [And] with proprietary source code and technical secrets revealed, the possibility of an attack that could reveal users' passwords is certainly there. This is yet another example of how proprietary code is less secure than open-source code.

Horse’s mouth? LastPass CEO Karim Toubba ’fesses in PR — “Notice of Recent Security Incident”:

Achieved a state of containment
We detected some unusual activity within portions of the LastPass development environment. … An unauthorized party gained access to portions of the LastPass development environment through a single compromised developer account.

This incident did not compromise your Master Password. We never store or have knowledge of your Master Password. We utilize [a] Zero Knowledge architecture. … This incident occurred in our development environment. [There’s] no evidence of any unauthorized access to customer data in our production environment.

In response to the incident, we have deployed containment and mitigation measures, and engaged a leading cybersecurity and forensics firm. While our investigation is ongoing, we have achieved a state of containment, implemented additional enhanced security measures, and see no further evidence of unauthorized activity. … We are evaluating further mitigation techniques.

So that’s alright then? LDS smells a rat:

"Excusatio non petita, accusatio manifesta." Why they had to say [the master] passwords were still safe, if they never store or have knowledge of such passwords?

If LastPass doesn't have the passwords, how could they be compromised or accessed? A simple mistake [in a] rush, or a Freudian slip? Think about it.

Conspiracy theories aside, should we stop using LastPass? Dutch Gun thinks it’s good enough:

Every other solution … I've looked at is a relative pain in the ***. … Right on the webpage, where you actually have to enter your credentials, they're entered for you automatically. If you change your password, LastPass detects it. Add some new credentials? LastPass detects and stores them for you.

Is it absolutely the most secure solution out there? Probably not, since integration with the browser carries some risk. Is it the most convenient solution with an acceptable level or risk for me? Yep. LastPass has been around a decade or so, with no serious security issues. They've been very good about reporting and responding to any potential issues that have been discovered. I understand how their technology works, and I'm comfortable that it's secure enough.

As does metavirus:

I definitely agree that any hack is potentially troubling, but I think [we] could use a bit more nuance. … I’m not concerned, given what was hacked and how client-side data is stored.

At this point, we should all basically assume that any business we work with is going to get hacked. So we just need to be smart about mitigation. The details of the LastPass hack aren’t very troubling — to me at least.

But the source code. The source code! sarusa sounds deeply troubled:

Here come the exploits. Of course if LastPass security and design is perfect, then it doesn't matter if the source code is stolen. But if there are any bugs at all (and there always are, and LastPass doesn't have a perfect record) then the attackers now have holes to drive through.

Which brings us back to SJVN’s point about closed source. gweihir drives it home:

Well, there is really no sane reason to use anything closed-source … for this task. [But] there are always plenty of people disconnected from reality.

If we take him literally, Robert might be one:

See? This is why my password is "password123" everywhere. No dependencies on iffy third parties.

Meanwhile, nospam007 snarks it up:

Waiting for VeryLastPass to launch.

And Finally:

An “approximation” of an interesting video

Hat tip: FeralCatMan

Previously in And finally

Keep learning

You have been reading Secure Software Blogwatch by Richi Jennings. Richi curates the best bloggy bits, finest forums, and weirdest websites … so you don’t have to. Hate mail may be directed to @RiCHi or ssbw@richi.uk. Ask your doctor before reading. Your mileage may vary. E&OE. 30.