LastPass: Attackers stole Source Code

LastPass began informing its users of a “recent security happening” where an “unauthorized party” used a compromised developer account to access domains of its password manager’s source code and “some proprietary LastPass technical data.”

In a letter to its users, the company’s CEO Karim Toubba illustrates that its investigation hasn’t turned up proof that any user data or encrypted passwords were accessed. Therefore, user data doesn’t appear to have been accessed or affected.

Toubba resumes explaining that the company has “implemented additional enhanced security measures” after containing the breach, which it detected two weeks ago. However, the company wouldn’t comment on how long the breach had been before it was seen.

As LastPass illustrates, its users don’t have to do anything at this point. There’s no justification for spending an afternoon transforming your master password and doing a full security audit. LastPass, on the other hand, probably has its work cut out for it making sure that it doesn’t have to make any changes now that an unauthorized party may have access to its source code.

To be clear, hackers having access to a program’s source code doesn’t immediately mean they can instantly pwn it, breaking through its defenses. Famously, Microsoft says it doesn’t rely on its source code remaining private for security and says that people being able to read it shouldn’t be a risk. At the same time, that should be the case for any company, especially those whose whole deal is keeping your passwords safe. So you’d probably want the company to pore over its code to ensure there aren’t any subtle vulnerabilities missed if you were a LastPass customer.

Even though the breach doesn’t seem to be a red alert for security problems at the company, it’s still not a great look for a password manager struggling with its reputation. It’s just the latest in a line of incidents for LastPass, and the company also earned the ire of many users for changing its free tier to be significantly less helpful in early 2021.

LastPass is a freemium password administrator that holds encrypted passwords online. The classic version of LastPass comes with a web interface but contains plugins for various web browsers and apps for many mobiles. It also furnishes support for bookmarklets. LogMeIn, Inc., now GoTo, obtained LastPass in October 2015. On December 14, 2021, LogMeIn reported that LastPass would be made into a separate company and accelerate its release timeline.

LastPass holds a form filler that automates password documenting and form-filling and supports site sharing, password generation, site logging, and two-factor authentication. LastPass endorses two-factor authentication thru various methods, including the LastPass Authenticator app for mobile phones and YubiKey. LastPass is an extension to many web browsers, including Apple Safari, Microsoft Edge, Google Chrome, Mozilla Firefox, Vivaldi, and Opera. It also has apps for smartphones driving the Android, iOS, or Windows Phone operating systems. In addition, the apps include offline functionality.

In August 2017, LastPass notified LastPass Families, a family plan for sharing passwords, bank account information, and other sensitive data among family partners for a $48 annual subscription. Unfortunately, they also doubled the cost of the Premium version without adding any new features. Instead, some regions of the free version were removed.

On February 16, 2021, LastPass informed that from March 16, Free versions would be functional on only mobile devices or desktops, rather than both. As a result, any user hoping to continue using both would have to spend for the Premium version. They would also quit email support for Free users at the same time.

LastPass is a popular password manager, with the choice between them primarily down to personal preference. In March 2019, Lastpass was rewarded the Best Product in Identity Management award during the seventh annual Cyber Defense Magazine InfoSec Awards.

In February 2021, in reaction to LastPass limiting its free tier to one type of device, Barry Collins of Forbes named the change a “bait and switch” that makes free accounts “much less beneficial than they used to be” that “ruins” the free tier.

LastPass uncovered an abnormality in their incoming network traffic, then a similar anomaly in their outgoing gridlock. Officials found none of the hallmarks of a classic security breach, but neither could they determine the anomalies’ cause. Furthermore, given the size of the mistakes, it was theoretically conceivable that data such as the server salt, email addresses, and the salted password hashes were replicated from the LastPass database.

LastPass posted a blog post on Monday, June 15, 2015, indicating that the LastPass team had uncovered and halted dubious activity on their network the last Friday. Their investigation showed that LastPass account email addresses, password reminders, authentication hashes, and server per-user salts were compromised; however, encrypted user vault data were not concerned.

In July 2016, a blog by independent online security firm Detectify described a method for reading plaintext passwords for random domains from a LastPass user’s vault when that user visited a malicious website. This vulnerability was made feasible by inadequately written URL parsing code in the LastPass extension. The fault was not disclosed publicly by Detectify until LastPass was reported privately and could correct their browser extension. LastPass reacted to the public disclosure by Detectify in a post on their blog, in which they demonstrated knowledge of an additional vulnerability discovered by an associate of the Google Security Team and already fixed by LastPass.

On March 20, Tavis Ormandy discovered a vulnerability in the LastPass Chrome extension. The exploit applied to all LastPass clients, including Chrome, Firefox, and Edge. These vulnerabilities were disabled on March 21 and patched on March 22. On March 25, Ormandy discovered an additional security flaw allowing remote code execution based on the user navigating to a malicious website. The vulnerability was also patched.

On Friday, August 30, 2019, Tavis Ormandy conveyed a vulnerability in the LastPass browser extension. As a result, websites with malicious JavaScript code could get a username and password inserted by the password manager on the earlier visited site. By September 13, 2019, Lastpass publicly announced the vulnerability, acknowledging the issue was limited to the Google Chrome and Opera extensions; nonetheless, all platforms received the vulnerability patch.