Skip to main content

LastPass confirms attackers stole some source code

LastPass confirms attackers stole some source code

/

It says user data doesn’t seem to have been accessed or affected

Share this story

But source code isn’t a skeleton key.
But source code isn’t a skeleton key.
Photo by Amelia Holowaty Krales / The Verge

Earlier this week, LastPass started notifying its users of a “recent security incident” where an “unauthorized party” used a compromised developer account to access parts of its password manager’s source code and “some proprietary LastPass technical information.” In a letter to its users, the company’s CEO Karim Toubba explains that its investigation hasn’t turned up evidence that any user data or encrypted passwords were accessed.

Toubba continues on to explain that the company has “implemented additional enhanced security measures” after containing the breach, which it detected two weeks ago. The company wouldn’t comment on how long the breach had been going on before it was detected.

Don’t panic, LastPass users

As LastPass explains, at this point its users don’t have to do anything — there’s no reason for you to spend an afternoon changing your master password and doing a full security audit. LastPass, on the other hand, probably has its work cut out for it making sure that it doesn’t have to make any changes now that an unauthorized party may have access to its source code.

To be clear, hackers having access to a program’s source code doesn’t immediately mean they can instantly pwn it, breaking through its defenses. Famously, Microsoft says it doesn’t rely on its source code remaining private for security and says that people being able to read it shouldn’t be a risk (which is a good thing because its source code leaks a lot). And while that should be the case for any company, especially ones whose entire deal is keeping your passwords safe, I’d probably want the company to be poring over its code just to make sure there aren’t any subtle vulnerabilities that it missed if I were a LastPass customer.

Despite the fact that the breach doesn’t seem to be a red alert for security problems at the company, it’s still not a great look for a password manager that’s been struggling with its reputation. It’s just the latest in a line of incidents for LastPass (the software’s Wikipedia page is largely comprised of a section titled “security issues”), and the company also earned the ire of many users for changing its free tier to be significantly less useful in early 2021.

Today’s Storystream

Feed refreshed Two hours ago The tablet didn’t call that play by itself

E
Twitter
Emma RothTwo hours ago
Missing classic Mario?

One fan, who goes by the name Metroid Mike 64 on Twitter, just built a full-on 2D Mario game inside Super Mario Maker 2 complete with 40 levels and eight worlds.

Looking at the gameplay shared on Twitter is enough to make me want to break out my SNES, or at least buy Super Mario Maker 2 so I can play this epic retro revamp.


R
External Link
Russell BrandomTwo hours ago
The US might still force TikTok into a data security deal with Oracle.

The New York Times says the White House is still working on TikTok’s Trump-era data security deal, which has been in a weird limbo for nearly two years now. The terms are basically the same: Oracle plays babysitter but the app doesn’t get banned. Maybe it will happen now, though?


Asian America learns how to hit back

The desperate, confused, righteous campaign to stop Asian hate

Esther Wang12:00 PM UTC
R
Youtube
Richard LawlerTwo hours ago
Don’t miss this dive into Guillermo del Toro’s stop-motion Pinocchio flick.

Andrew Webster and Charles Pulliam-Moore covered Netflix’s Tudum reveals (yes, it’s going to keep using that brand name) over the weekend as the streamer showed off things that haven’t been canceled yet.

Beyond The Way of the Househusband season two news and timing information about two The Witcher projects, you should make time for this incredible behind-the-scenes video showing the process of making Pinocchio.


E
External Link
Emma Roth4:13 PM UTC
Netflix’s gaming bet gets even bigger.

Even though fewer than one percent of Netflix subscribers have tried its mobile games, Netflix just opened up another studio in Finland after acquiring the Helsinki-based Next Games earlier this year.

The former vice president of Zynga Games, Marko Lastikka, will serve as the studio director. His track record includes working on SimCity BuildIt for EA and FarmVille 3.


A
External Link
Andrew J. Hawkins3:37 PM UTC
Vietnam’s EV aspirant is giving big Potemkin village vibes

Idle equipment, absent workers, deserted villages, an empty swimming pool. VinFast is Vietnam’s answer to Tesla, with the goal of making 1 million EVs in the next 5-6 years to sell to customers US, Canada and Europe. With these lofty goals, the company invited a bunch of social media influencers, as well as some auto journalists, on a “a four-day, multicity extravaganza” that seemed more weird than convincing, according to Bloomberg.


J
James Vincent3:17 PM UTC
Today, 39 years ago, the world didn’t end.

And it’s thanks to one man: Stanislav Petrov, a USSR military officer who, on September 26th, 1983, took the decision not to launch a retaliatory nuclear attack against the US. Petrov correctly guessed that satellite readings showing inbound nukes were faulty, and so likely saved the world from nuclear war. As journalist Tom Chivers put it on Twitter, “Happy Stanislav Petrov Day to those who celebrate!” Read more about Petrov’s life here.


Soviet Colonel who prevented 1983 nuclear response
Photo by Scott Peterson/Getty Images
J
The Verge
James Vincent3:03 PM UTC
Deepfakes were made for Disney.

You might have seen the news this weekend that the voice of James Earl Jones is being cloned using AI so his performance as Darth Vader in Star Wars can live on forever.

Reading the story, it struck me how perfect deepfakes are for Disney — a company that profits from original characters, fans' nostalgia, and an uncanny ability to twist copyright law to its liking. And now, with deepfakes, Disney’s most iconic performances will live on forever, ensuring the magic never dies.


E
External Link
Elizabeth Lopatto2:41 PM UTC
Hurricane Fiona ratcheted up tensions about crypto bros in Puerto Rico.

“An official emergency has been declared, which means in the tax program, your physical presence time is suspended,” a crypto investor posted on TikTok. “So I am headed out of the island.” Perhaps predictably, locals are furious.


R
The Verge
Richard Lawler2:09 PM UTC
Teen hacking suspect linked to GTA 6 leak and Uber security breach charged in London.

City of London police tweeted Saturday that the teenager arrested on suspicion of hacking has been charged with “two counts of breach of bail conditions and two counts of computer misuse.”

They haven’t confirmed any connection with the GTA 6 leak or Uber hack, but the details line up with those incidents, as well as a suspect arrested this spring for the Lapsus$ breaches.


R
The Verge
Richard Lawler1:00 PM UTC
Green light.

Good morning to everyone, except for the intern or whoever prevented us from seeing how Microsoft’s Surface held up to yet another violent NFL incident.

Today’s big event is the crash of a NASA spaceship this evening — on purpose. Mary Beth Griggs can explain.


D
David Pierce12:54 PM UTC
Thousands and thousands of reasons people love Android.

“Android fans, what are the primary reasons why you will never ever switch to an iPhone?” That question led to almost 30,000 comments so far, and was for a while the most popular thing on Reddit. It’s a totally fascinating peek into the platform wars, and I’ve spent way too much time reading through it. I also laughed hard at “I can turn my text bubbles to any color I like.”