HIPAA Journal is the leading provider of news, updates, and independent advice for HIPAA compliance

Source Code Stolen in LastPass Data Breach

A cyberattack and data breach has been reported by LastPass, the provider of the world’s most popular password management solution. According to LastPass, there are around 30 million users of its password manager solution globally, including 85,000 business customers. Notifications have been sent to customers to inform them about the cyberattack and provide reassurances that while some company data was stolen in the attack, users’ password vaults were not affected and the cyberattack did not cause any disruption to its products or services.

According to the notice, two weeks ago, LastPass discovered that an unauthorized individual had gained access to the account of one of its developers, which gave the attacker access to the LastPass development environment. LastPass said steps were immediately taken to contain the attack and prevent further unauthorized access, with the forensic investigation confirming the attackers stole portions of its source code and “some proprietary LastPass technical information.”

As is the case with many other password management solutions, LastPass operates under the zero-knowledge model, which means it does not have access to the encrypted password vaults of any of its users. Only individual customers are able to access their password vaults by providing the master password and passing multi-factor authentication checks (if MFA has been enabled). LastPass CEO, Karim Toubba, said, “We have seen no evidence that this incident involved any access to customer data or encrypted password vaults,” therefore, there is no need for users to change their master passwords.

LastPass said it is currently evaluating further mitigation techniques and will be taking steps to strengthen the security of its environment. This is not the first cyberattack to be experienced by LastPass. In 2015, the company experienced an attack in which hackers were able to obtain the usernames of certain customers, along with their hashed master passwords. A password reset was then enforced as a precaution, although since only hashed passwords were stolen, there was only a risk for users who had set weak master passwords.

LastPass users have also been targeted in a credential stuffing campaign. LastPass warned its customers in late 2021 that it had detected unusual, attempted login activity and had identified an uptick in security alerts related to user accounts. The investigation confirmed this was due to credential stuffing attacks, where threat actors use usernames and passwords compromised in third-party data breaches to try to access accounts on other platforms. These attacks can only succeed when there has been reuse of passwords on multiple accounts. If a unique master password is set for an account, it will be protected against credential stuffing attacks.

Successful cyberattacks on password managers are relatively uncommon and while such an attack could potentially give a threat actor access to a user’s password vault, password managers are still recommended and can greatly improve password security. All users of password managers should ensure they choose a long, complex, and unique password or passphrase for their password manager account and should set up multi-factor authentication. For even greater security, consider using the secure username generator of a password manager, if that feature is offered.

Author: Steve Alder is the editor-in-chief of HIPAA Journal. Steve is responsible for editorial policy regarding the topics covered on HIPAA Journal. He is a specialist on healthcare industry legal and regulatory affairs, and has several years of experience writing about HIPAA and other related legal topics. Steve has developed a deep understanding of regulatory issues surrounding the use of information technology in the healthcare industry and has written hundreds of articles on HIPAA-related topics.