Password management service LastPass is once again at the centre of a security scare, after it confirmed a recent ‘security incident.’

LastPass confirmed a data breach on Thursday in a blog post in which it admitted the hackers had stolen source code and other technical data.

But it insisted that its prized data – namely its customer data and their encrypted password vaults – had not been compromised.

Data breach

“Two weeks ago, we detected some unusual activity within portions of the LastPass development environment,” the firm stated. “After initiating an immediate investigation, we have seen no evidence that this incident involved any access to customer data or encrypted password vaults.”

LastPass said that “unauthorised party” had gained access to portions of its development environment through a single compromised developer account. The hacker apparently “took portions of source code and some proprietary LastPass technical information.”

The firm said its products and services are operating normally.

“In response to the incident, we have deployed containment and mitigation measures, and engaged a leading cybersecurity and forensics firm,” said the firm. “While our investigation is ongoing, we have achieved a state of containment, implemented additional enhanced security measures, and see no further evidence of unauthorised activity.”

It said that based on what it had learned and implemented, it is evaluating further mitigation techniques to strengthen its environment.

LastPass thanked its users for their “patience, understanding and support.”

Previous compromises

But this is not the first time that LastPass has been compromised.

In January 2016 a security researcher (Sean Cassidy) cast doubts on the security of LastPass when he claimed he had discovered a way of gaining login credentials, and even a two factor authentication code, through a phishing attack.

Cassidy went public and publish his exploit on Github after notifying the firm two months previously, but he was not satisfied by their response.

Prior to that in June 2015, LastPass suffered a major data breach, in which the stolen data could have allowed hackers to guess weak master passwords.

The company said at the time that as a precaution it was prompting all users to change their master passwords.

Third-party passwords stored with LastPass were not affected at the time.

Source code theft

Now over five years after these previous breaches, the fact that LastPass had admitted that some of its source code has been stolen has prompted a response from Justin Vaughan-Brown, VP market insight at cybersecurity specialist Deep Instinct.

“Stolen source code is a scary prospect for organisations, and unfortunately, it opens the door potentially for further attacks on the business,” noted Vaughan-Brown. “Source code is part of a company’s intellectual property, and therefore holds massive value to cyber criminals. LastPass confirmed that an unauthorised party gained access and took portions of the source code.

Justin Vaughan-Brown of Deep Instinct

“Threat actors who gain access to source code may be able to find the security vulnerabilities within the organisation’s product,” said Vaughan-Brown. “This means that cyber criminals are then able to exploit weaknesses within the network, which are unknown to the organisation. Security incidents like this show to organisations that it is more important than ever to start preventing cyberattacks.”

“Far too many organisations rely on a reaction and mitigation approach when it comes to cybersecurity,” Vaughan-Brown added. “Endpoint detection and response (EDR), needs malware to execute in order to pick it up as malicious, by which point it could be already too late.”

“For example, by the time a cyberattack has been detected, source code could have already been stolen,” said Vaughan-Brown. “Organisations then usually end up seeing their data being bought and sold on the dark web, fuelling more heinous cybercrimes. It’s time we start to stop cyberattacks before they reach this point.”

“Businesses need to start looking towards proactive and preventative mindset that stop cyberattacks before they breach the network, “ said Vaughan-Brown. “It’s time to put cybercriminals out of business once and for all by showing them that we can stop their criminal acts before they have time to cause any damage.”

Tom Jowitt

Tom Jowitt is a leading British tech freelancer and long standing contributor to Silicon UK. He is also a bit of a Lord of the Rings nut...

Recent Posts

Apple Sales Rise 6 Percent After Early iPhone 16 Demand

Fourth quarter results beat Wall Street expectations, as overall sales rise 6 percent, but EU…

19 hours ago

X’s Community Notes Fails To Stem US Election Misinformation – Report

Hate speech non-profit that defeated Elon Musk's lawsuit, warns X's Community Notes is failing to…

20 hours ago

Google Fined More Than World’s GDP By Russia

Good luck. Russia demands Google pay a fine worth more than the world's total GDP,…

21 hours ago

Spotify, Paramount Sign Up To Use Google Cloud ARM Chips

Google Cloud signs up Spotify, Paramount Global as early customers of its first ARM-based cloud…

2 days ago

Meta Warns Of Accelerating AI Infrastructure Costs

Facebook parent Meta warns of 'significant acceleration' in expenditures on AI infrastructure as revenue, profits…

2 days ago

AI Helps Boost Microsoft Cloud Revenues By 33 Percent

Microsoft says Azure cloud revenues up 33 percent for September quarter as capital expenditures surge…

2 days ago