Initial Thoughts on the LastPass Breach
Yesterday, August 25, LastPass notified its users that one of its developer systems was compromised and that some source code was stolen. This understandably resulted in a fair amount of concern for the security of the critical passwords they protect for millions of clients. However, before I delve deeper into what I consider to be a couple of areas of concern, let me put your mind at ease regarding your LastPass account:
LastPass uses a zero-knowledge architecture. This means that client information would still be fully encrypted and secured even if their systems were completely compromised (they weren't). More details here: https://www.lastpass.com/security/what-if-lastpass-gets-hacked. In order for the bad guys to access the encrypted data, they would need a client's master password. That same password that you use to access your account is what they use as the private key to encrypt the data. As long as you are using a strong, unique password you should be safe. If you need some ideas on how to create a great password, check out this video: Complex Password Tips and Tricks. So your passwords are safe. . . probably. I'm confident enough as a security professional that LastPass is still my platform of choice, and I will continue to trust them, but I do have to ask the 'what if’ questions. Let's dive into those now.
My first concern - Stealing source code looks bad from a public confidence perspective, but unlike many software solutions, LastPass is, first and foremost, a security solution. They are constantly reviewing, testing, and hardening their solution against attacks. I would find it hard to believe they would have any backdoors or significant exploitable flaws in the code. My more considerable concern is not that the code was stolen but instead the possibility of a bad actor manipulating the source code before being discovered and injecting an exploit into the system. Once again, anything like this SHOULD be caught during routine code review and automated testing. Still, it has happened before. This would be potentially devastating for the security of everyone using LastPass. It is unlikely this occurred, but one of the primary focuses of the forensics company hired by LastPass will be to replay the attack and determine when the bad actor gained access and what they did during that time. I'm sure they will be thoroughly reviewing all of that developer's recent code as well.
My second concern is more theoretical - if the bad actors gained access to the actual client database, which is unlikely as development environments are isolated from production, then the master key is the only defense between the passwords and the bad guys. Depending on how the database is structured, if they were able to determine email addresses/usernames for accounts, they may be able to use known compromised passwords from the dark web to access those accounts. This is one case where two-factor authentication would not help (unless LastPass somehow was using 2FA to encrypt as well - cool idea, but unlikely).
In summary:
Keep using LastPass
Make sure that you have a solid Master Password
Turn on 2FA
and kudos to LastPass for reporting in a timely and transparent manner.
Thanks for reading, and let me know your thought in the comments.