LastPass, the famous password management service, has recently announced that it has been hacked. Specifically, Karim Toubba, the company’s CEO, wrote that an “unauthorized third party gained access to parts of the LastPass development environment through a compromised developer account.” thus getting hold of parts of the software’s source code and technical information.
This isn’t the first time the password manager has had security issues. In 2021, it emerged that some users’ LastPass master passwords may have been exposed. LastPass replied that there was no hack. But users who received emails warning them that an unknown person was trying to log into their accounts were unconvinced. LastPass then insisted that it was only the result of a credential stuffing attack.
Recurring security issues
In 2020, LastPass experienced a major outage, and users reported being unable to log into their accounts or autofill their passwords. In 2019, a major LastPass security issue was also discovered by security researchers.
None of these problems is on its own so serious. Yes, it’s awful that a developer’s account has been hacked, but it does happen. That said, it’s still concerning that the largest password manager company, with 20 million claimed customers, has significant and recurring security issues.
Certainly, as Mr. Toubba asserted, with this week’s hack, “we have seen no evidence that this incident involved access to customer data or password vaults.” But with part of the source code exposed and technical secrets exfiltrated, the possibility of a new attack which could reveal the passwords of the users is to be taken into account.
Intrinsic fragility
This is another example of the fragility of software built with proprietary code. The code of open source-based password managers, such as Bitwarden, is verified by independent experts. This ensures that potential security weaknesses can be spotted before they become security holes.
However, LastPass did not stand idly by. The company has “engaged a leading cybersecurity and investigations firm” to investigate what happened. The company has also implemented enhanced security measures. They saw “no other evidence of unauthorized activity”.
But from my point of view, it’s too little and too late, even if it’s still a worthwhile effort. Granted, LastPass is still a good password manager. But if you are looking for new software, no one will blame you.
Source: “ZDNet.com”