LastPass’s internal systems have been hacked, and hackers have stolen proprietary code and intellectual property. According to the password management firm, strange behavior was first spotted two weeks ago in the company’s development environment.
According to an announcement made this week, investigators dug into the forensic data and concluded that a developer account had been hijacked and that “portions of source code and some sensitive LastPass technical information” had been stolen.
More importantly, the attackers did not gain access to encrypted client data or secure storage areas for passwords. According to LastPass, “we deploy an industry-standard ‘zero-knowledge’ design that ensures only the client has access to decrypt vault data.” This means that LastPass will never have access to a user’s Master Password.
However, as BluBracket’s co-founder and president Ajay Arora pointed out, hackers will likely scour the LastPass source code for vulnerabilities in the future.
As he explained in an email comment, “another consequence that might come from stolen or leaked source code is that this code can divulge secrets about the design of an application.” “It’s possible that this would identify the location of sensitive data storage areas as well as the kind of resources employed by the company.
In the aftermath of an attack, these conditions could give criminals the tools they need to do even more damage to the targeted institution.”The attackers may have been looking for a way into LastPass’s partner or supplier networks, according to Tom Kellermann, senior vice president of cyber strategy at Contrast Security.
Islands are being hopped between with the help of cyber security firms “His words. “The industry as a whole should have taken notice after the FireEye hack. Cybersecurity firms in 2022 must demonstrate the values they espouse. Some organizations still don’t put enough money into cyber defenses. Aim to get hit, and be ready to fight back.