There are very few security services I pay for, especially subscription services. But even while open-source and self-hosting is my jam, one of the few I do pay for is LastPass, a leading password management product. After using it in a corporate setting, I fell in love with the LastPass and even got my whole family onboard with it. If nothing else, this allows me to sleep better at night as the officially designated CISO of the Martin family.
Unfortunately, LastPass suffered a breach in late November 2022. This follows hot on the tail of a previous security incident in August 2022. In both instances, LastPass displayed extraordinary transparency and excellent communication with its customers. Both times I received a prompt email from LastPass leadership detailing what happened and how the breach occurred, plus deep technical explanations ensuring that customer data was still secure. This rapid response lies in stark contrast to the many recent incidents in which the top names in tech have waited months to disclose breaches, told different stories internally and externally, and failed to own up to mistakes.
The Post-Breach Fallout: Fool Me Once, Shame on You
Breaches happen and will continue to happen; criticism comes when organizations do not communicate effectively or refuse to disclose incidents externally because “they’re not legally required to.” What is rare to see is a company with the notoriety of LastPass breached multiple times in quick succession, and the resulting uproar is caused not by communication issues but rather by accusations of what the breached company did not to.
When a company is breached for the first time, what undoubtedly follows is weeks or even months of round-the-clock engineering work to remediate and patch any vulnerabilities. One of the most critical steps in a security incident investigation is forensic analysis, which reveals the intricacies of the attack and what data may have been viewed or stolen. On the public-facing side, media scrutiny may be intense at first but will eventually subside.
The first LastPass breach in August was caused by the compromise of a single, privileged developer account. Development resources typically have access to a company’s most critical assets, including customer data, financial records, and personally identifiable information (PII). In this case, the developer in question had access to LastPass source code. This is likely where the second LastPass breach began its life.
The Secrets are in the Source Code
When source code is stolen, most people probably assume that the purpose was to try and gain pieces of the victim’s platform to implement in a competitive product. But in reality, attackers are usually after the hard-coded credentials that lie within code.
Legacy code, especially for homegrown applications, is often riddled with username and password combinations or API key credentials in cleartext for anyone to grab and use as needed. Why? Because it is usually a lot less work than integrating a credential vault solution or using a credentials file that a developer must maintain indefinitely. Though it pains us security folks to hear it, in the dev world speed to release tends to be a priority over proper security.
If the LastPass attacker was able to steal source code, this means they had access to inject a malicious payload into the software supply chain as well. There have been no confirmations from LastPass on whether this happened, but it is a possibility. The infamous SolarWinds hack was caused by their software development cycle being breached; malware infected the code that was shipped to customers globally, ultimately infecting those customers as well.
