Proprietary Info, Source Code Stolen in LastPass Data Breach

August 29, 2022 - LastPass, a password manager with 25 million users around the world, disclosed a data breach to its customers. After detecting unusual activity in early August, LastPass discovered that an unauthorized party had stolen portions of source code and some proprietary technical information. 

The threat actor accessed a single compromised developer account to access the information. Luckily, there has been no evidence that the breach involved access to any customer data or encrypted password vaults.

“We utilize an industry standard Zero Knowledge architecture that ensures LastPass can never know or gain access to our customers’ Master Password,” LastPass explained in its notice.  

LastPass found no evidence that any customer data was accessed and did not recommend any action by customers to further secure their data at this time.

“In response to the incident, we have deployed containment and mitigation measures, and engaged a leading cybersecurity and forensics firm” LastPass explained.

“While our investigation is ongoing, we have achieved a state of containment, implemented additional enhanced security measures, and see no further evidence of unauthorized activity.”

Password Manager Best Practices

While the LastPass breach is troubling, password managers are still a good option for individuals with lots of online accounts who want the convenience of a single password without the inherent insecurity of using the same password for all accounts. Individuals across all sectors, including healthcare, use password managers to manage their credentials in a convenient manner.

“Greater security is achieved principally through the capability of most password manager applications to generate unique, long, complex, easily changed passwords for all online accounts and the secure encrypted storage of those passwords either through a local or cloud-based vault," the National Institute of Standards and Technology (NIST) explained in a special publication (800-63) regarding digital identity guidelines.

NIST noted that password managers contain information that is highly valuable to cybercriminals, making security even more important. Thankfully, many password managers require two-factor authentication and are developed so that cloud password services cannot even access the password vault, making true compromise extremely difficult.

NIST has not explicitly recommended password managers but has provided best practices for users who choose to utilize them:

• Choose a long passphrase for the master password to the password manager and protect it from being stolen. A passphrase can be made sufficiently long to protect against attacks while still allowing memorization.
• Create unique passwords for all accounts or use the capability of most program managers to generate random, unique, complex passwords for each account.
• Avoid password managers that allow recovery of the master password. Any compromise of the master password through account recovery tools can compromise the entire password vault.
• Use multi-factor authentication for program manager applications that allow that capability.
• Use the password generator capability in most password managers to generate complex, random text answers to online “security” questions for those sites still using them.

With best practices in place, password managers can provide additional security to users.