LastPass has been compromised. It’s good that they’re disclosing it in relatively short order. You might say it was the keys to the kingdom that were stolen. Someone pilfered ‘portions’ of their source code, and some proprietary technical information. It has not been revealed what ‘some’ or ‘portions’ actually means.
The source code and the proprietary technical information gives a potential hacker the ability to better understand how LastPass works and have a better idea as to how to exploit the service.
Could this be worse than a password database exfiltration? It all depends on what was in that source code and the technical information.
With a lot of our data being in the cloud, we should be vigilant about which companies have our data, how they store it, …
There is a lot of news over the past several years about unsecured AWS S3 data buckets having unencrypted credentials stored in them, ransomware running roughshod over organizations, … It is surprising to hear of proprietary technical information, and source code for a security-focused business being stored on publicly accessible servers.
Ultimately in a security-focused organization, the source code and technical information should be on air gapped networks. In a non security-focused organization, the developer accounts should at a minimum be 2FA-secured, but it seems in this case it was only secured by a password. It’s not clear how the hackers gained access (brute-force or social engineering) to the account, either. In this case, the security-focused organization is not really setting a good example for the rest of us.
Organizations can learn a lot from this. The question is, will they?