Cyberattackers have compromised the internal systems of LastPass, making off with source code and intellectual property.
LastPass is a freemium password manager that stores encrypted passwords online. The standard version of LastPass comes with a web interface, but also includes plugins for various web browsers and apps for many smartphones. It also includes support for bookmarklets. LogMeIn, Inc. acquired LastPass in October 2015.
The password management company said it detected anomalous activity in its development environment two weeks ago. After digging into the forensic data, investigators determined that someone (or someones) compromised a developer account to gain access to the network, taking “portions of source code and some proprietary LastPass technical information,” according to an announcement posted this week.
Crucially, the adversaries weren’t able to access customer data or encrypted password vaults.
“We utilize an industry-standard ‘zero-knowledge’ architecture that ensures LastPass can never know or gain access to our customers’ Master Password [and it] ensures that only the customer has access to decrypt vault data,” according to LastPass.
That said, Ajay Arora, co-founder and president at BluBracket, noted that attackers will be looking hard for potential weaknesses to exploit in the LastPass source code, potentially leading to follow-on attacks.
“An additional consequence that can occur from stolen or leaked source code is that this code can disclose secrets about an application’s architecture,” he said via an emailed statement. “This may reveal information about where certain data is stored and what other resources an organization may use. These factors could then equip bad actors to inflict additional harm on an organization after the fact.”
Tom Kellermann, senior vice president of cyber strategy at Contrast Security, also said in a statement that the attackers could have been probing around to see if they could find an avenue into LastPass partner or supplier networks.
“Cybersecurity companies are being targeted to facilitate island hopping,” he said. “After the FireEye breach, the industry should have woken up. In 2022, cybersecurity companies must practice what they preach. Many still underinvest in their own cybersecurity. Expect to be hit and prepare to respond.”