back to article LastPass source code, blueprints stolen by intruder

Internal source code and documents have been stolen from LastPass by a cyber-thief. The password manager maker said on Thursday that someone broke into one of its developer's accounts, and used that to gain access to proprietary data. The biz, a big beast in the security world and based in Massachusetts, insisted that its …

  1. Anonymous Coward
    Joke

    Let me guess...

    Let me guess... the hacker broke into the developer's account, navigated to their internal repo and Lastpass filled in the password for him?

    1. The Man Who Fell To Earth Silver badge
      Boffin

      Re: Let me guess...

      LastPass should just spin it as their attempt to catch up with open source Password Safe (https://pwsafe.org/).

  2. LDS Silver badge
    WTF?

    "We're told that these master passwords are still safe"

    Why should they have those master passwords?

    1. diodesign (Written by Reg staff) Silver badge

      Why should they have those master passwords?

      They don't, from the LastPass FAQ:

      "We never store or have knowledge of your Master Password. We utilize an industry standard Zero Knowledge architecture that ensures LastPass can never know or gain access to our customers’ Master Password."

      C.

      1. LDS Silver badge
        Devil

        Re: Why should they have those master passwords?

        "Excusatio non petita, accusatio manifesta"

        Why they had to tell those passwords were still safe, if they never store or have knowledge of such passwords? Hope it was just an overzealous PR... <G>

        1. anothercynic Silver badge

          Re: Why should they have those master passwords?

          Because inevitably someone will ask that question... "Will my passwords still be safe".

          1. LDS Silver badge

            Re: Why should they have those master passwords?

            The objection was about the **master** password, not the encrypted ones. Without the master passwords of course they should be still safe if the encryption is right, even if they ware stolen.

            But why they didn't reply "we haven't your master passwords" instead of "We're told that these master passwords are still safe, and haven't been compromised or accessed by the intruder, "? If LastPass doesn't have the passwords, how could they be compromised or accessed?

            A simple mistake under the rush, or a Freudian slip? Think about it...

            Is the master password sent to LastPass? In a good system that password would never be sent to LastPass, the encrypted data would be sent to you and decrypted locally, with the master password never leaving the local system If it is sent remotely, who knows if a "rogue developer" or a "configuration error" doesn't make it end is some "log"? As if it never happened before...

            1. Falmari Silver badge

              Re: Why should they have those master passwords?

              @LDS "A simple mistake under the rush, or a Freudian slip? Think about it..."

              From their statement linked in the article.

              "FAQs

              1. Has my Master password or the Master Password of my users been compromised?

              No. This incident did not compromise your Master Password. We never store or have knowledge of your Master Password. We utilize an industry standard Zero Knowledge architecture that ensures LastPass can never know or gain access to our customers’ Master Password. You can read about the technical implementation of Zero Knowledge here."

              So not a "Freudian slip" just covering an expected question.

            2. anothercynic Silver badge

              Re: Why should they have those master passwords?

              My point stands. Because inevitably PEOPLE. WILL. ASK. THE. OBVIOUS. QUESTION.

              1. Roland6 Silver badge

                Re: Why should they have those master passwords?

                >Because inevitably PEOPLE. WILL. ASK. THE. OBVIOUS. QUESTION.

                And - given the number and level of security breaches to IT systems, where businesses haven't followed sensible security practices - rightly so.

            3. This post has been deleted by its author

        2. Roland6 Silver badge

          Re: Why should they have those master passwords?

          >Why they had to tell those passwords were still safe

          A concern has to be whether the source code extracted could provide details about LastPass's master password implementation that would facilitate an attack.

      2. An_Old_Dog Silver badge
        Devil

        Just the FAQs, Ma'am

        I am wondering: if they lied to us about not having a plaintext copy of our master password, and about not having plaintext copies of our secondary passwords, could we know that they had lied?

        I don't have reason to believe they are lying, I'm just being the Devil's advocate.

        1. Roland6 Silver badge
          Big Brother

          Re: Just the FAQs, Ma'am

          Following your logic...

          Given you enter the master password via a keyboard - OS - browser - app; it isn't impossible for Microsoft, Google et al to have your master password...

          1. anothercynic Silver badge

            Re: Just the FAQs, Ma'am

            If you run any browser extensions, those extensions will be able to get your password, yes...

            1. Def Silver badge

              Re: Just the FAQs, Ma'am

              I use Last Pass through a browser extension. It would be nice to think different extensions are sandboxed from each other. Certainly, if that's not the case then any Web browser based on Chromium will find itself being uninstalled tomorrow.

              1. NATTtrash Silver badge

                Re: Just the FAQs, Ma'am

                No experience with LastPass here, but isn't it a "web thingy"? Call me geriatric or tin foil hat, but I always had some problems with the concept of keeping your critical passwords in a (software) vault, and then storing "the vault" on somebody elses hard drive/ computer...

          2. An_Old_Dog Silver badge

            Re: Just the FAQs, Ma'am

            It's impossible for Microsoft, Google, Apple, etc. to have my master password, because I do not have a master password.

            Yes, it is "inconvenient" for me.

        2. SVD_NL

          Re: Just the FAQs, Ma'am

          You of course can't know that, but given that a compromise of a plaintext password dump like that opens you up to billions upon billions of dollars of liability, in return absolutely no strategic or monetary gain, i think you can safely assume that's not the case.

          1. An_Old_Dog Silver badge

            Re: Just the FAQs, Ma'am

            That doesn't seem to have stopped various companies doing that sort of thing in the past.

            Please provide one instance of a company who has successfully been sued for or governmentally-penalized for one billion dollars or more for having improperly secured customer data. Typically, the legal appeals process results in reduced awards to the plaintiffs.

    2. Version 1.0 Silver badge
      Angel

      Re: "We're told that these master passwords are still safe"

      I was going to use "MasterPassword" as my password but I thought that was a little risky. So my master password is now PrifGyfrinair - I'm confident that it's very safe to make all my passwords Welsh..

      1. First Light Silver badge

        Re: "We're told that these master passwords are still safe"

        Yes the Celtic languages can be helpful for these things!

      2. amacater

        Re: "We're told that these master passwords are still safe"

        Unless your data is snarfed by someone from Y Wladfa :)

        1. Roland6 Silver badge

          Re: "We're told that these master passwords are still safe"

          Do they have internet in "The Colony"?

      3. An_Old_Dog Silver badge

        Re: "We're told that these master passwords are still safe"

        Don't be too smug: foreign/ancient-language dictionaries are available on-line, and probably have been downloaded by serious bad guys looking to get peoples' passwords.

  3. sarusa
    FAIL

    Here come the exploits

    Of course if LastPass security and design is perfect then it doesn't matter if the source code is stolen.

    But if there are any bugs at all (and there always are, and LastPass doesn't have a perfect record) then the attackers now have holes to drive through.

    1. DS999 Silver badge

      Re: Here come the exploits

      Or they can build a clone that works exactly like the real one, except that it sends your passwords to the hackers, and rely on the usual social engineering to get people they target to download it as an "update".

      1. Paul Crawford Silver badge

        Re: Here come the exploits

        That is the more likely scenario to worry about.

  4. garretmh

    Time to open source

    The bad guys have your source code, so you might as well open it up to everyone. Then if you’re lucky maybe someone nice will spot your vulnerabilities and report them. I doubt these guys will.

    1. bpfh Silver badge

      Re: Time to open source

      Then they need to provide some details on why the online storage of the encrypted blob costs so much to host on their cloud. I could hire a small vps for their subscription cost…

  5. Auntie Dix Bronze badge
    Facepalm

    Last-Passed Gas

    An insecure security firm that once again smelt it and dealt it. Time to light a match, leave, and never look back.

  6. Locky
    Coat

    Alexia, how do I migrate from LastPass to BitWarden?

    1. Fonant
      Thumb Up

      Very easily! Recommended.

      1. AJ MacLeod

        Even better when you run your own server (see Vaultwarden)

    2. This post has been deleted by its author

    3. Roland6 Silver badge

      and a non-US HQ'd password manager ...

      1. Not an Anonymous Coward

        Apparently North Korea have a fantastic password manager under development.

    4. Anonymous Coward
      Anonymous Coward

      I use Keepass. As the database is only stored locally, nobody else has the master password, a hashed version, the encrypted database, etc. (Except my backup provider, who has an encrypted version of the encrypted database - using different passwords.)

    5. Phil Kingston

      https://bitwarden.com/help/import-from-lastpass/

      Watch for the bugs around some special characters

  7. sitta_europea

    Seems to me that having a single password that gives access to all you rother passwords is a bit like single sign-on.

    Crazy.

    1. stiine Silver badge

      Its a manual version single-signon.

      1. stiine Silver badge

        guess where the word 'of' should be...

        Its a manual version OF single-signon.

  8. Blackjack Silver badge

    Is online, so you are fck

    [So this App thingie keeps all my passwords safe right? But what if someone gets the password to this password manager? Won't they get all my passwords then?]

    I said that ages ago before "All Data Must be Online" was a sort of divine mandate.

    How naive I was -_-

    1. Anonymous Coward
      Anonymous Coward

      Re: Is online, so you are fck

      If your browser is compromised, then your FalseMuleCapacitorPaperclip master password is also compromised, along with every password that you've allowed to be auto-filled, or entered manually.

      1. Roland6 Silver badge

        Re: Is online, so you are fck

        That is why it is good idea not to have the login to your recovery/password change email account stored in your password vault or browser.

        Unfortunately, this does cause problems...

        For example the EE app likes to randomly demand your account password instead of pin/biometric. Obviously you only use that on the laptop's browser and not on the phone and with the special character rules, you aren't going to remember it. So the only way to urgently transfer data say is to reset the password, which gets sent to a different email account to the one on the phone...

      2. An_Old_Dog Silver badge

        Re: Is online, so you are fck

        Upvote for tongue-in-cheek XKCD reference.

  9. JimmyPage
    Stop

    On balance, it's still better to use a password manager.

    because the alternative is that *you* manage your passwords. And en masse, that is the worst possible outcome.

    There's something about a lot (but thankfully not all) IT specialists that makes them require a far higher bar for IT security than they do for anything in the real world. I suspect it's so some of them can act the Bertie Big Bollocks at parties (maybe I'msour because I don't get invited to those sort of parties ?).

    As long as your security is a single step ahead of the bad guys - who are either targeting a very small subset of high net worth accounts, or alternatively just trawling the masses - you'll be OK.

    The real value of a password manager is to allow me to have 1,000+ unique gibberish passwords of eye watering entropy. Have I been pawned ? Do I care ?

  10. Anonymous Coward
    Anonymous Coward

    i wonder....

    If the hacker obtained the code for their administrative interface, how likely is it that some time in the near future they will log back in and delete everything? For example, hit every database server with a 'drop database' for every db?

    1. Phil Kingston

      Re: i wonder....

      Probably more interested in just saying they'll do something malicious and demand Bitcoin/whatever crypto the cool kids are ploughing dollarbucks into this week.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like