LastPass Password Manager Breached, Source Code Stolen

LastPass, a prominent Password Manager, has disclosed they were compromised in August. This attack, while not stealing any passwords proved to be costly as the source code, the groundwork for any cyber intellectual property, was stolen.

Password Managers are keepers of various passwords you use in everyday life. With an average of at least four passwords per person, password managers are an invaluable resource for most people in businesses and everyday life. In LastPass’s case, any password that uses the system is encrypted before being sent to their servers. The company itself does not touch the passwords

While the attack itself was not damaging to its customers, future attacks are not only expected but inevitable as the hackers had stolen the source code to the website. The source code is the foundation to any internet and cyber data. Without it, you cannot create or run a website. With the source code in hand, hackers have their figurative skeleton key into service.

Ajay Arora, co-founder and president at BluBracket, noted that attackers will be looking hard for potential weaknesses to exploit in the LastPass source code, potentially leading to follow-on attacks. “An additional consequence that can occur from stolen or leaked source code is that this code can disclose secrets about an application's architecture," he said via an emailed statement. "This may reveal information about where certain data is stored and what other resources an organization may use. These factors could then equip bad actors to inflict additional harm on an organization after the fact."(1)

This is not the first time that LastPass was compromised, rather it is the third one that has occurred in the last three years. In September 2019, the service reported a bug in their Chrome and Opera programing where credentials were compromised the previous July and promptly fixed this issue with a patch.(2)

In 2020, amid the chaos of the pandemic, they experienced an outage, affecting accounts that were older than 2014. Users reported they were unable to log into their accounts or access the site, showing error messages while logging onto the service. This disruption lasted a week and caused my anger at the company, especially since they refused to acknowledge the breach in anyway.

Perhaps the most telling of this is that LastPass’ code is considered a proprietary source code, rather than an open one. An Open-source code is open to the public. Security experts and regular users can see the code, comment on its security, and potentially work on fixes individually. Proprietary codes are typically codes owned by companies, Apple being the biggest example. They are more restrictive on who can access the code, therefore, less oversight to problems.(3) The fact that LastPass was a proprietary code meant that it could not be checked regularly.

With LastPass being compromised, many other source codes should be checked for any potential breaches. According to them, Passwords are currently safe but who knows if that will remain the case. With this breach, it is important for people to protect their passwords and change them regularly to prevent someone from simply walking in and stealing your date.