Password manager company LastPass admitted it had been hacked via an Aug. 25 blog post, adding that after initiating an immediate investigation, it hadn’t seen evidence that this incident involved any access to customer data or encrypted password vaults. Users’ private info, including passwords and login details related to banking, shopping and social media accounts, is unlikely to have been compromised in this incident.
CEO Karim Toubba detailed in the post that the company detected unusual activity within portions of the LastPass development environment two weeks ago.
“We have determined that an unauthorized party gained access to portions of the LastPass development environment through a single compromised developer account and took portions of source code and some proprietary LastPass technical information. Our products and services are operating normally,” Toubba wrote in the post.
In response to the incident, LastPass said it has deployed “containment and mitigation measures,” and has engaged a cybersecurity and forensics firm.
“While our investigation is ongoing, we have achieved a state of containment, implemented additional enhanced security measures, and see no further evidence of unauthorized activity,” Toubba added.
Steve Bassi — co-founder and CEO of PolySwarm, a decentralized, crowdsourced threat-intelligence-security provider — told GOBankingRates that LastPass has done a good job at quickly addressing the breach and conveying to users (and pros) what was affected.
“Despite this breach, users’ master passwords are not in danger of being compromised. That said, users are undoubtedly unsettled by this incident and the pros still have a few questions about the software supply chain security of LastPass’ source code,” Bassi said. “Specifically, LastPass’ source code handles all users’ master passwords by necessity, so we really don’t want that getting backdoored.”
Bassi said that the hack highlights the growing threats to systems security worldwide, a common scenario seeing hackers stealing source code to understand how large-scale protection of secrets — passwords in this case — really works.
He added that while so much focus has been on the hacks to Web3 networks of late, and justifiably so, this incident also underscores the huge attack surface of “traditional” Web2 applications that we rely on every day.
“These threats are only growing, with a variety of lone and state-backed actors trying to penetrate private and public networks, and there is no shortage of potential security incidents but there is a distinct lack of cybersecurity labor in enterprises,” Bassi said. “This incident also highlights a key use case for harnessing remote and distributed threat-detection workforces detecting and preventing such hacks.”
In terms of what LastPass users can do to protect themselves right now, Bassi said that it’s most prudent to wait for the company to audit its software supply chain and give its users assurances that their next updates are built securely.
“IT managers that have large LastPass user bases should also be on high alert for any credential spraying — that is, large amounts of failed logins across their user base — or unusual login patterns from their users in the coming days,” Bassi said. “All in all, this is another wakeup call. Even though separate passwords for each service in a password manager is best practice, it’s still no replacement for suspicious login vigilance over your corporate and personal accounts.”
Internet users should take care to increase their privacy settings wherever possible or prudent, as this could protect sensitive data (including personal financial data). “Whenever possible, you want to keep your online presence as private as possible — such as locking social media accounts so that only followers can see your posts,” Cybersecurity Magazine recommended. The publication also noted that you should vary usernames and change passwords regularly, steer clear of phishing emails and enable multi-factor authentication.
More From GOBankingRates