Password management service LastPass is once again at the centre of a security scare, after it confirmed a recent ‘security incident.’

LastPass confirmed a data breach on Thursday in a blog post in which it admitted the hackers had stolen source code and other technical data.

But it insisted that its prized data – namely its customer data and their encrypted password vaults – had not been compromised.

Data breach

“Two weeks ago, we detected some unusual activity within portions of the LastPass development environment,” the firm stated. “After initiating an immediate investigation, we have seen no evidence that this incident involved any access to customer data or encrypted password vaults.”

LastPass said that “unauthorised party” had gained access to portions of its development environment through a single compromised developer account. The hacker apparently “took portions of source code and some proprietary LastPass technical information.”

The firm said its products and services are operating normally.

“In response to the incident, we have deployed containment and mitigation measures, and engaged a leading cybersecurity and forensics firm,” said the firm. “While our investigation is ongoing, we have achieved a state of containment, implemented additional enhanced security measures, and see no further evidence of unauthorised activity.”

It said that based on what it had learned and implemented, it is evaluating further mitigation techniques to strengthen its environment.

LastPass thanked its users for their “patience, understanding and support.”

Previous compromises

But this is not the first time that LastPass has been compromised.

In January 2016 a security researcher (Sean Cassidy) cast doubts on the security of LastPass when he claimed he had discovered a way of gaining login credentials, and even a two factor authentication code, through a phishing attack.

Cassidy went public and publish his exploit on Github after notifying the firm two months previously, but he was not satisfied by their response.

Prior to that in June 2015, LastPass suffered a major data breach, in which the stolen data could have allowed hackers to guess weak master passwords.

The company said at the time that as a precaution it was prompting all users to change their master passwords.

Third-party passwords stored with LastPass were not affected at the time.

Source code theft

Now over five years after these previous breaches, the fact that LastPass had admitted that some of its source code has been stolen has prompted a response from Justin Vaughan-Brown, VP market insight at cybersecurity specialist Deep Instinct.

“Stolen source code is a scary prospect for organisations, and unfortunately, it opens the door potentially for further attacks on the business,” noted Vaughan-Brown. “Source code is part of a company’s intellectual property, and therefore holds massive value to cyber criminals. LastPass confirmed that an unauthorised party gained access and took portions of the source code.

Justin Vaughan-Brown of Deep Instinct

“Threat actors who gain access to source code may be able to find the security vulnerabilities within the organisation’s product,” said Vaughan-Brown. “This means that cyber criminals are then able to exploit weaknesses within the network, which are unknown to the organisation. Security incidents like this show to organisations that it is more important than ever to start preventing cyberattacks.”

“Far too many organisations rely on a reaction and mitigation approach when it comes to cybersecurity,” Vaughan-Brown added. “Endpoint detection and response (EDR), needs malware to execute in order to pick it up as malicious, by which point it could be already too late.”

“For example, by the time a cyberattack has been detected, source code could have already been stolen,” said Vaughan-Brown. “Organisations then usually end up seeing their data being bought and sold on the dark web, fuelling more heinous cybercrimes. It’s time we start to stop cyberattacks before they reach this point.”

“Businesses need to start looking towards proactive and preventative mindset that stop cyberattacks before they breach the network, “ said Vaughan-Brown. “It’s time to put cybercriminals out of business once and for all by showing them that we can stop their criminal acts before they have time to cause any damage.”

Tom Jowitt

Tom Jowitt is a leading British tech freelancer and long standing contributor to Silicon UK. He is also a bit of a Lord of the Rings nut...

Recent Posts

Spyware Maker NSO Group Found Liable In US Court

Landmark ruling finds NSO Group liable on hacking charges in US federal court, after Pegasus…

21 hours ago

Microsoft Diversifying 365 Copilot Away From OpenAI

Microsoft reportedly adding internal and third-party AI models to enterprise 365 Copilot offering as it…

21 hours ago

Albania Bans TikTok For One Year After Stabbing

Albania to ban access to TikTok for one year after schoolboy stabbed to death, as…

22 hours ago

Foldable Shipments Slow In China Amidst Global Growth Pains

Shipments of foldable smartphones show dramatic slowdown in world's biggest smartphone market amidst broader growth…

22 hours ago

Google Proposes Remedies After Antitrust Defeat

Google proposes modest remedies to restore search competition, while decrying government overreach and planning appeal

23 hours ago

Sega Considers Starting Own Game Subscription Service

Sega 'evaluating' starting its own game subscription service, as on-demand business model makes headway in…

23 hours ago