The widely used password manager LastPass suffered a security breach that is a mix of good and bad news for its many users.
The good news, at least in the short term, is that it appears user password vaults have not been compromised. The bad news is that the attacker made up with source code and some sort of proprietary information, which could potentially be used for future attacks.
Could stolen source code be leveraged for future compromise of password managers?
The immediate danger to LastPass users from this security breach is, fortunately, minimal. The password manager stores each user’s master password on their own local device, preventing a server compromise from exposing it in any way. However, the encrypted vaults in which passwords are stored could potentially be compromised in a number of other ways.
It is difficult to assess the actual risk as LastPass developer GoTo is keeping quiet on details of what aspects of the source code and proprietary information were stolen. Master passwords appeared to be accessed in a prior breach of the password manager in late 2021, as some users reported attempted logins from foreign countries using their valid credentials. But LastPass says that this was a case of bots using lists of credentials from other data breaches in a “brute force” attack, with the customers who experienced unauthorized access attempts likely having re-used their email and password as their vault login.
And while attackers may not be able to get at user master passwords via the LastPass internal network, it is possible to capture them at the user end by compromising individual devices. This nearly happened at scale in 2019 when a vulnerability in the password manager’s Chrome extension was discovered, but it appears to have been patched out before it could be exploited by attackers. LastPass offers multi-factor authentication (MFA) as an additional line of defense against security breaches, but it must be manually enabled and also have its settings configured properly to actually provide the user with extra protection.
The fact that some employees may be re-using breached login credentials to get into their password managers should also prompt organizations of all types to review password hygiene training, as well as ensuring that secondary layers of defense are present that assume a security breach will be caused by this scenario at some point.
LastPass security breach caused by compromised developer account
LastPass says that the security breach was caused by a single compromised developer account, another piece of good news for its password manager customers as the developer environment is kept separate from the storage vaults. However, there is always the concern that the attackers will turn up something they found in the stolen source code to come back with another attempt.
The password manager has not mentioned adding any new elements in response to the security breach, and is not currently advising customers to take any special action.