LastPass Says Source Code Stolen in Data Breach

Discussion in 'other security issues & news' started by guest, Aug 25, 2022.

  1. guest

    guest Guest

    By Ryan Naraine @ryanaraine - August 25, 2022
     
    Last edited by a moderator: Sep 3, 2022
  2. Krusty

    Krusty Registered Member

    Joined:
    Feb 3, 2012
    Posts:
    10,210
    Location:
    Among the gum trees
    Email from LastPass:
     
  3. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    17,546
    Location:
    The Netherlands
    What a joke, so LastPass can't even secure its own systems, and it's supposed to keep our passwords safe? :thumbd:
     
  4. xxJackxx

    xxJackxx Registered Member

    Joined:
    Oct 23, 2008
    Posts:
    8,625
    Location:
    USA
    The change of ownership caused me to dump it. They tripled the price and I was greatly concerned they would not maintain an acceptable level of security.
     
  5. Brummelchen

    Brummelchen Registered Member

    Joined:
    Jan 3, 2009
    Posts:
    5,871
  6. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    17,546
    Location:
    The Netherlands
    I agree, this stuff is unacceptable, same with Twilio. And I would also like to have more information about how this breach was able to happen and what security tools and procedures were in place, it's time for full disclosure. EDIT: I've just read that LastPass was compromised via the Twilio hack, but that's still no excuse to me.
     
  7. xxJackxx

    xxJackxx Registered Member

    Joined:
    Oct 23, 2008
    Posts:
    8,625
    Location:
    USA
    Absolutely. There is no excuse.
     
  8. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    17,546
    Location:
    The Netherlands
    To be fair, this time it wasn't completely their fault, because it all started with Twilio systems being hacked. But still, you would hope there was some kind of back up security system, that was able to stop this attack in an earlier stage, without LastPass's source code being stolen.
     
  9. plat

    plat Registered Member

    Joined:
    Dec 19, 2018
    Posts:
    2,233
    Location:
    Brooklyn, NY
    I think I give LastPass some credit for stepping forward though. It is bolstering to the backbone to do that if user data wasn't swiped, know what I'm saying? Sometimes, companies aren't forthcoming about more serious hacks as they stand to lose customers.

    Not to cringe away from my post about this over at MalwareTips but in general, a company involved with some kind of security should have taken extra precautions. Hopefully, they learned their lesson. Looking at you, Entrust. :cautious:
     
  10. ProTruckDriver

    ProTruckDriver Registered Member

    Joined:
    Sep 18, 2008
    Posts:
    1,444
    Location:
    "An Apple a Day, Keeps Microsoft Away"
    I totally agree. :thumb:
     
  11. xxJackxx

    xxJackxx Registered Member

    Joined:
    Oct 23, 2008
    Posts:
    8,625
    Location:
    USA
    Sorry, but it is unexcusable for your source code to be someplace that it can be stolen from. There is no reason for it to be on an internet accessible device. Or not locked down by source control. With encryption. Maybe despite all of that if you are a big enough target and targeted by the right (or wrong) group they may get you anyway but I bet they did not meet any of the standards I just listed.
     
  12. xxJackxx

    xxJackxx Registered Member

    Joined:
    Oct 23, 2008
    Posts:
    8,625
    Location:
    USA
    They probably had to disclose it in any case. That said I suspect what will be done here is that the source code will be used to make counterfeit versions of the product that will be distributed to steal the user's passwords.
     
  13. Palancar

    Palancar Registered Member

    Joined:
    Oct 26, 2011
    Posts:
    2,402
    3 years in a row is kind of hard to swallow from my perspective. My life would be a disaster if my password manager was broken and all my access credentials (well over 100 +) were discovered. Never had any issues, but while LastPass has come across my thought process over the years these kinds of threads leave me saying No Thanks. My .02
     
  14. xxJackxx

    xxJackxx Registered Member

    Joined:
    Oct 23, 2008
    Posts:
    8,625
    Location:
    USA
    It was great (in my opinion) before it was sold. They also bought GoToMeeting and GoToAssist from Citrix and significantly raised the prices of those as well. We used to use all of this stuff. I wouldn't use any of them now. They seem to like to buy established products and profit from them by jacking up the prices while not maintaining the quality (also in my opinion, though that was our experience).
     
  15. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    17,546
    Location:
    The Netherlands
    Yes, I completely agree with this.
     
  16. XIII

    XIII Registered Member

    Joined:
    Jan 12, 2009
    Posts:
    1,383
    Unless you do remote work.

    And many companies did so during the pandemic.
     
  17. xxJackxx

    xxJackxx Registered Member

    Joined:
    Oct 23, 2008
    Posts:
    8,625
    Location:
    USA
    That is a thing but proper source control should still make it near impossible. In this case when you're making a password manager you sell to the general public, you should be taking every possible precaution. These companies are absolutely a major target.
     
  18. plat

    plat Registered Member

    Joined:
    Dec 19, 2018
    Posts:
    2,233
    Location:
    Brooklyn, NY
    Nailed it. :thumb:
     
  19. waking

    waking Registered Member

    Joined:
    Jan 25, 2016
    Posts:
    176
    LastPass source code breach - do we still recommend password managers?

    https://nakedsecurity.sophos.com/2022/08/29/lastpass-source-code-breach-do-we-still-recommend-password-managers/
     
  20. xxJackxx

    xxJackxx Registered Member

    Joined:
    Oct 23, 2008
    Posts:
    8,625
    Location:
    USA
    I wouldn't stop using password managers. One with autofill will verify the domain before doing so, making it less likely than most of the end users to possibly enter their credentials into a fake site. If for any reason someone would get your passwords start resetting them immediately, starting with your email as you will likely need it to verify the change on the other sites. Before the bad guys start doing the same.
     
  21. roger_m

    roger_m Registered Member

    Joined:
    Jan 25, 2009
    Posts:
    8,627
    A very good explanation as to why there's no need to change password managers. While I don't use Last Pass, if I did, I would keep using it.
    https://www.youtube.com/watch?v=556rCKPsvuw
     
  22. ProTruckDriver

    ProTruckDriver Registered Member

    Joined:
    Sep 18, 2008
    Posts:
    1,444
    Location:
    "An Apple a Day, Keeps Microsoft Away"
    I'm still using LastPass and not changing. I've been using it for many years, the Free Version. Thanks for the video @roger_m :thumb:
     
  23. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    17,546
    Location:
    The Netherlands
    Latest news is that LastPass now believes that the attack started from a LastPass developer's PC, see first link. So I wouldn't be surprised if this was some cookie stealer malware that the hacker managed to install on this machine perhaps via spear phishing, who knows. So seems like they are now beefing up endpoint security control. I actually opened a topic about cookie stealing malware, go check it out on link 2.

    https://blog.lastpass.com/2022/08/notice-of-recent-security-incident/
    https://www.wilderssecurity.com/threads/cookie-stealing-the-new-perimeter-bypass.447085/
     
  24. waking

    waking Registered Member

    Joined:
    Jan 25, 2016
    Posts:
    176
    LastPass source code breach - incident response report released

    19 Sep 2022

    https://nakedsecurity.sophos.com/2022/09/19/lastpass-source-code-breach-incident-response-report-released/

    "LastPass has now published an official follow-up report on the
    incident, based on what it has been able to figure out about the
    attack and the attackers in the aftermath of the intrusion.

    We think that the LastPass article is worth reading even if you
    aren't a LastPass user, because we think it's a reminder that a
    good incident response report is as useful for what it admits
    you were unable to figure out as for what you were.

    What we now know

    The boldface sentences below provide an outline of what LastPass
    is saying: ..."
     
  25. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    17,546
    Location:
    The Netherlands
    Yes, exactly what I already said. Endpoints should be secured way better against these type of threats, behavior blockers should be able to help against credential and cookie stealing malware, AV's are simply not good enough, that's the bottomline.
     
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.