SoylentNews

upstart writes:

LastPass confirms attackers stole some source code:

LastPass is letting its users know that there was a recent security incident at the company where someone was able to access some source code for its password manager as well as proprietary technical information.

Earlier this week, LastPass started notifying its users of a "recent security incident" where an "unauthorized party" used a compromised developer account to access parts of its password manager's source code and "some proprietary LastPass technical information." In a letter to its users, the company's CEO Karim Toubba explains that its investigation hasn't turned up evidence that any user data or encrypted passwords were accessed.

Toubba continues on to explain that the company has "implemented additional enhanced security measures" after containing the breach, which it detected two weeks ago. The company wouldn't comment on how long the breach had been going on before it was detected.

As LastPass explains, at this point its users don't have to do anything — there's no reason for you to spend an afternoon changing your master password and doing a full security audit. LastPass, on the other hand, probably has its work cut out for it making sure that it doesn't have to make any changes now that an unauthorized party may have access to its source code.

To be clear, hackers having access to a program's source code doesn't immediately mean they can instantly pwn it, breaking through its defenses. Famously, Microsoft says it doesn't rely on its source code remaining private for security and says that people being able to read it shouldn't be a risk (which is a good thing because its source code leaks a lot). And while that should be the case for any company, especially ones whose entire deal is keeping your passwords safe, I'd probably want the company to be poring over its code just to make sure there aren't any subtle vulnerabilities that it missed if I were a LastPass customer.

Original Submission