Last week, LastPass confirmed it had been a victim of a data breach that occurred two weeks prior when a threat actor gained access to its internal development environment. Even though the intruder did not access any customer data or passwords, the incident did result in the theft of its source code. 

“We have determined that an unauthorized party gained access to portions of the LastPass development environment through a single compromised developer account and took portions of source and some proprietary LastPass technical information,” Karim Toubba, CEO of LastPass, wrote in a blog post. 

For CISOs, the incident demonstrates that your source code is no less a target than your customer data, as it can reveal valuable information about your application’s underlying architecture. 

What does the LastPass breach mean for organizations? 

While LastPass has assured users that their passwords and personal data were not compromised, with 25 million customers, it could have been much worse — particularly if the intruders managed to harvest user logins and passwords to online consumer and enterprise accounts.

“Lastpass’ developer system was hacked, which may or may not be a risk to users, depending upon the privilege level of the hacked system. Developer systems are generally isolated from devops and production environments,” said Hemant Kumar, CEO of Enpass. “In this case, users should not worry. But if the system has access to the production environment, the situation can have consequences.”

Kumar warns that any organization that provides a cloud-based service is a “lucrative target” for attackers because they provide a goldmine of data, which cybercriminals can look to harvest. 

Fortunately, successful attacks on password managers are quite rare. One of the most notable incidents occurred back in 2017 when a hacker used one of OneLogin’s AWS keys to gain access to its AWS API via an API provided by a third-party provider. 

Key takeaways for CISOs 

Organizations that are currently using cloud-based solutions to store their passwords should consider whether it’s worth switching to an offline password manager so that private data is not stored on a provider’s centralized server.  

This prevents an attacker from targeting a single server to gain access to the personal details of thousands of customers. 

Another alternative is for organizations to stop relying on password-based security altogether. 

“If the hackers have the ability to access password vaults, this could literally be the industry’s worst nightmare. Having access to logins and passwords provides the keys to control a person’s online identity with access to everything from bank accounts, social media and tax records,” said Lior Yaari, CEO and cofounder of Grip Security. “Every company should immediately require users to ensure no personal passwords are used for work to reduce the likelihood of this type of breach.”

In the meantime, organizations that do not want to swear off passwords completely can keep an eye out for any further news released about the breach, and encourage employees to enable multifactor authentication on their online accounts to prevent account takeovers as a result of compromised credentials.