LastPass confirms attackers stole source code


Earlier this week, LastPass began notifying its users of a “recent security incident” where an “unauthorized party” used a compromised developer account to access portions of its password manager source code. and “certain LastPass proprietary technical information”. In a letter to its users, the company’s CEO, Karim Toubba, explains that his investigation did not reveal evidence that user data or encrypted passwords were accessed.

Toubba goes on to explain that the company has “implemented additional enhanced security measures” after containing the breach, which it detected two weeks ago. The company wouldn’t comment on how long the breach lasted before it was detected.

As LastPass explains, at this point its users don’t need to do anything – there’s no reason you should spend an afternoon changing your master password and performing a full security audit. LastPass, on the other hand, probably has its work cut out for it making sure it doesn’t have to make any changes now that an unauthorized party can gain access to its source code.

To be clear, hackers having access to a program’s source code does not immediately mean that they can hack it instantly, breaking down its defenses. Famously, Microsoft says it doesn’t rely on its source code being kept private for security reasons and says people being able to read it shouldn’t be a risk (which is a good thing because its source code flees a plot). And while that should be the case for any company, especially ones whose entire deal is to protect your passwords, I’d probably want the company to look at their code just to ensure there are no subtle vulnerabilities she missed if I was a LastPass customer.

Despite the fact that the breach doesn’t appear to be a red flag for corporate security issues, it’s still not a good look for a password manager struggling with its reputation. This is just the latest in a string of incidents for LastPass (the software’s Wikipedia page is largely made up of a section titled “security issues”), and the company has also drawn the ire of many users. for changing his free tier to be significantly less useful in early 2021.


About Author

Comments are closed.