/>
X
Innovation

LastPass was hacked -- again

The good news is that no passwords appear to have been revealed from the password-saving site. The bad news is that its source code has been compromised.
LastPass

LastPass, the popular password management service, recently announced that it was hacked. Specifically, LastPass's CEO Karim Toubba wrote that an "unauthorized party gained access to portions of the LastPass development environment through a single compromised developer account and took portions of source code and some proprietary LastPass technical information."

This isn't the first time LastPass has had security problems. In 2021, it appeared that some users' LastPass Master Passwords may have been revealed. LastPass replied that it hadn't been breached, but users who had gotten emails warning them that an unknown person was trying to log into their accounts weren't convinced. Nevertheless, LastPass insisted that it was just the result of a credential stuffing attack

Also: Want to ditch LastPass? Here are the best alternatives to try

In 2020, LastPass had a major outage, and users reported they couldn't log into their accounts or autofill passwords. In 2019, a significant LastPass security problem was uncovered by security researchers as well.

None of these problems alone are that bad. Yes, it's awful that one developer's account was hacked, but it happens. 

That said, it's still concerning that the biggest password security company -- with a claimed 20 million customers -- has significant, annual security problems.

True, as Toubba claimed, with this week's hack, "We have seen no evidence that this incident involved any access to customer data or encrypted password vaults." But with proprietary source code and technical secrets revealed, the possibility of an attack that could reveal users' passwords is certainly there.

This is yet another example of how proprietary code is less secure than open-source code. With open-source password programs, such as Bitwarden, all the code is checked by independent experts. This ensures potential security weaknesses can be spotted before they become security holes. 

In this case, however, LastPass has "engaged a leading cybersecurity and forensics firm" to investigate what happened. LastPass is also implementing enhanced security measures. They've seen "no further evidence of unauthorized activity." 

From where I sit, this is too little, too late. But it's still something. 

LastPass, with its zero-knowledge model, is still a good password security company. But if you want to look for another password manager, no one would blame you.

Related Stories:

Editorial standards

Related

Break up with LastPass: How to use iCloud as a password manager on Windows
Businesswoman with smart phone looking at computer monitor. Young female professional is sitting at desk. She is wearing smart casuals at home office.

Break up with LastPass: How to use iCloud as a password manager on Windows

Apple tops the PC satisfaction index again. But Samsung has narrowed the gap
A Walmart employee helps a customer in the electronics section

Apple tops the PC satisfaction index again. But Samsung has narrowed the gap

Lenovo ThinkPad X1 Carbon (Gen 10) review: The best business laptop?
Lenovo ThinkPad X1 Carbon (Gen 10)

Lenovo ThinkPad X1 Carbon (Gen 10) review: The best business laptop?