Cybersecurity incident at LastPass. Should you worry?
LastPass has just suffered a cybersecurity incident. What are the risks? Should you worry?
This morning, LastPass just announced a security incident:
I want to inform you of a development that we feel is important for us to share with our LastPass business and consumer community.
Two weeks ago, we detected some unusual activity within portions of the LastPass development environment. After initiating an immediate investigation, we have seen no evidence that this incident involved any access to customer data or encrypted password vaults.
We have determined that an unauthorized party gained access to portions of the LastPass development environment through a single compromised developer account and took portions of source code and some proprietary LastPass technical information. Our products and services are operating normally.
In response to the incident, we have deployed containment and mitigation measures, and engaged a leading cybersecurity and forensics firm. While our investigation is ongoing, we have achieved a state of containment, implemented additional enhanced security measures, and see no further evidence of unauthorized activity.
Based on what we have learned and implemented, we are evaluating further mitigation techniques to strengthen our environment. We have included a brief FAQ below of what we anticipate will be the most pressing initial questions and concerns from you. We will continue to update you with the transparency you deserve.
Thank you for your patience, understanding and support.
LastPass has just suffered a cybersecurity incident. What are the risks? Should you worry?
In general, there is nothing to be worried about. LastPass is an end-to-end-encrypted service. The encryption key to secure your password database on their servers is derived from your LastPass master password. LastPass makes it their business NOT to know your master password. That means that as long as no one else knows your master password, your password database on their servers will be safe as well. Also, they do not see any evidence that the payment and personal information of their customers are compromised.
What was compromised was parts of the source codes of their software. That in itself is not such a big deal. Plenty of cybersecurity-related software that is powering much of the Internet (e.g. OpenSSL) today is open-sourced (which means their source codes are publicly available). Assuming that they know what they are doing when it comes to engineering secure software systems, having their source codes stolen is more of a commercial issue rather than a cybersecurity issue.
However, there is one other possible cybersecurity risk that I worry about. It may be unfounded, and I hope it is unfounded. But nevertheless, it is a risk. So, what is that risk?