A cyber security breach that unfolded at LastPass – a provider of credential management services – appears to have affected only the firm’s developer environment, and is unlikely to rebound on users, according to community experts, who have praised the firm for its quick and transparent response to the incident.
The breach was notified by LastPass on 25 August, prior to the bank holiday weekend, but was first detected a fortnight earlier, said CEO Karim Toubba, when it spotted “some unusual activity within portions of the LastPass development environment”.
Toubba said: “After initiating an immediate investigation, we have seen no evidence that this incident involved any access to customer data or encrypted password vaults.
“We have determined that an unauthorised party gained access to portions of the LastPass development environment through a single compromised developer account and took portions of source code and some proprietary LastPass technical information. Our products and services are operating normally,” he said.
LastPass has deployed containment and mitigation measures and engaged forensic investigators, as well as implementing additional enhanced security measures.
Toubba said there was no other evidence of malicious activity, and crucially, he added, the incident did not compromise any customer master passwords, which are protected behind a “zero-knowledge” architecture. Nor does any data contained within its customers encrypted “vaults” appear to have been accessed.
“At this time, we don’t recommend any action on behalf of our users or administrators. As always, we recommend that you follow our best practices around setup and configuration of LastPass, which can be found here,” said Toubba.
KnowBe4 lead security awareness advocate, Javvad Malik, was among many observers to highlight LastPass’ clear and prompt disclosure as a positive.
“LastPass did well to spot the intrusion into their dev environment, where most organisations probably would have missed it and it is commendable that they communicated the incident clearly to its customers,” he said.
Malik said that keeping lines of communication open and setting appropriate expectations for users was a good foundation to maintain the customer trust that firms such as LastPass are built on. If customers were to lose trust, he said, the negative PR could be more damaging than an actual breach.
Nor should the incident serve to diminish users’ trust in password management services in general. “[They] are still the best way to manage and audit use of credentials,” said Chris Morgan, senior cyber threat intelligence analyst at Digital Shadows.
Even so it is possible, indeed likely, that the incident will cause some concern for users of the service, particularly when cyber security experts tend to recommend the use of password managers, so there are some actions that LastPass users can take for peace of mind.
“This breach does offer an opportunity to evaluate your security posture if the scope of the breach expands, or other breaches happen in the future. This is true regardless of if you use LastPass specifically or not,” said Melissa Bischoping, director of endpoint security research at Tanium.
“This may mean proactively rotating passwords, temporarily switching to another password manager or password management service. Use multi-factor authentication for not just your bank accounts and social media, but especially for your LastPass or other password management solution.
“Many providers, including LastPass, are offering and migrating to passwordless logins which use more advanced security technologies such as FIDO2 security keys. This reduces friction for end-users and increases the overall account security,” she added.
Nevertheless, the theft of source code and some other company data is a source of concern because this information could be very useful to a threat actor and may lead to future compromise, either of LastPass itself or of its downstream customers.
Deep Instinct’s vice-president of market insight, Justin Vaughan-Brown, described the theft of source code as a scary prospect. “Source code is part of a company’s intellectual property, and therefore holds massive value to cyber criminals,” he said.
“Threat actors who gain access to source code may be able to find the security vulnerabilities within the organisation’s product. This means that cyber criminals are then able to exploit weaknesses within the network, which are unknown to the organisation. Security incidents like this show to organisations that it is more important than ever to start preventing cyber attacks,” said Vaughan-Brown.