 Tom here from Lawrence Systems and on August 25th of 2022, LastPass reported a security incident. Now I'm reading this incident from their blog post, but this was also sent out as an email to LastPass users and customers and is notice of recent security incident. And we'll just jump right to the important part that you want to know. After initiating an immediate investigation, we have seen no evidence that this incident involves any access to customer data or encrypted password bolts. Now a little further down, it reads, we have determined that an unauthorized party gained access to portions of the LastPass development environment through a single compromised developer account and took portions of the source code and some proprietary LastPass technical information. Our products and services are operating normally. So essentially what this means is this was a attack on one of their developers to get into their development environment, not their production environment. Undoubtedly the goal of the threat actor that was doing the attacking was to get into the dev environment, maybe make some type of code change that could be hopefully passing the QA cycle before it goes into production. That's a speculative reach, but that's usually why they're attacking the supply chain so they can get something into LastPass. But good news, there is no customer data that was compromised near usernames, the encrypted blob they hold on to. Now if you're curious what I mean by encrypted blob, I have a more technical video down below about how LastPass and I actually use Bitwarden as an example, but they both do the same thing where they do not store your master password. They don't even want your master password. That is done through a hashing mechanism. So it's never really sent to them. So it can never really be compromised. LastPass and they were among the first password managers that became big doing this, really decided not having your password was a great thing and just managing the encrypted blob because well that way there's less to take. That way the other angle is this one here where someone tries to get something into the source code by attacking a developer that maybe in some way weakens the way the system works. This is the attack that they're under all the time. Now I actually really applause them for the transparency because many companies I believe have minor incidents like this all the time or maybe this is major depending on your perspective on this, but they clearly have proper controls and we're able to see the unauthorized access and these things happen through different methodologies. Matter of fact, see my video of how I would hack you to talk about how credentials can be stolen even with proper MFA because I feel confident that the team over at LastPass has proper multi-factor setup but there are ways you can steal certain tokens and I'll have that video linked down below because we talk about token stealing and some of the details around that in that video. But back to the point of I'm glad they reported it but this also creates kind of a problem and here's a quick take from my wife on this. So you got an email from LastPass. What do you think of it? What does it mean? What does it mean? Yeah. It means they got hacked. They got hacked? They got, oh sorry, they got compromised. Compromised. That's how you read that? Yes, that's what it says. Do you think your passwords are still safe? Nope, I'm gonna move them. Okay. So it says that they took portions of their source code which means that they have their source code. I imagine that they can figure out how they do it and get in. Okay. Am I right? No. That's why I wanted to start it as a take. Okay. So. And the reason I brought that up is because as companies report even a minor incident people are used to usually the incidents being reported are customer damaging if you will. Leak of credentials, leak of passwords. Because of that most people see the security incident coming from a company and especially a password management company and there's a lot of concerns around it of things being compromised. That must be why they're noticing me. Not that there was something internal going on. I'm hoping though as more companies report and do clear reporting on any incidents around their products even if they're not a customer direct facing incident where they lost all of our email addresses or customer lists, et cetera. It's going to become the norm and get a better understanding from the security community and then hopefully more of the end users who, you know, my wife is more of an end user. She is not working tech and it's just the way people, the average person perceives it. I just happen to be sitting there and she was reading it and that's why I brought it up. It is not to pick on her. She just is a average password manager, user and not someone who like myself works in tech or in cybersecurity and has a more technical understanding of this. Now as far as acquiring the source code, this is also sometimes where people get confused but no, having the source code does not necessarily mean there's a way in. Bitwarden, for example, is a password manager that I choose because it's fully open source, which means it's been third party reviewed as is last pass, but also it can be reviewed by any third party. It's almost a joke and it was a comment I had the other day where, well, last pass had their source code stolen or some source code taken, but so did Bitwarden. Lots of people copy it. Security through obscurity is just a terrible idea. Having the source code is not that big of a deal and if having the source code leads to compromise, your code wasn't secure. It just wasn't well vetted and there was some problems with it. So I don't think that's really any part of the security. I also do not think this incident with last pass should taint people's belief of using a password manager. Now there's going to be someone hammering down in the comments down below that says, yes, shouldn't we all be using some locally stored password manager such as key pass? I think for technical users, that's perfectly fine for a lot of the more average, less technical people managing a database locally on their computer and backing it up properly. It's going to probably lead to more people losing some passwords. Having something that's deeply integrated into the browser is probably going to be a better choice for the average user. I don't see anything wrong with using tools like key pass or any local ones out there that are good. But that being said, it's probably not the thing that everyone should do because more people should be using this. I think password managers are a huge benefit to people who normally and the average user will do this. They will just use the same password in many, many places. And with so many different security incidents where sometimes passwords were lost, not the last past one, but with other companies, people's password reuse is still a massive problem here in 2022. But nonetheless, last pass, thank you for being so forthcoming with this information. We'd love to know more details if there's a security write up that you can do about how the compromise happened because as we learn from these different compromises, we understand better the risks we're facing. Maybe if we know some of the tradecraft that was used, there's always ways we can have a learning opportunity for all of us to defend against these things. But either way, companies should keep being transparent and people should sleep using password managers. All right, thanks. Links to the videos and other things I talked about down below. Does this say anywhere very clearly that no customer data was compromised? It says we have no evidence that this incident involved any access to customer data or encrypted password evolves. Okay. So it basically says that there's that we should be fairly secure. But just by seeing it, it creates a perception. Of course. Okay. Of course. When it says the title is notice of recent security incident. Yeah. We call them security incidents now. Okay. Well, that's our common term in the industry now. For everything that happens. So they were hacked or they weren't? They got their source code. It sounds like, but not your usernames or passwords. Well, they don't store passwords, right? Well, they store an encrypted copy of our sign-in, though. Right. So that's the whole point of this is that because they don't store it, you can't steal it. Correct. If you can't steal it, you're not supposed to be able to access. Right. Okay. And thank you for making it all the way to the end of this video. If you've enjoyed the content, please give us a thumbs up. If you would like to see more content from this channel, hit the subscribe button and the bell icon. If you'd like to hire a short project, head over to lauranceystems.com and click the hires button right at the top. To help this channel out in other ways, there's a join button here for YouTube and a Patreon page where your support is greatly appreciated. For deals, discounts and offers, check out our affiliate links in the description of all of our videos, including a link to our shirt store where we have a wide variety of shirts that we sell and designs come out well randomly. So check back frequently. And finally, our forums. Forums.LauranceSystems.com is where you can have a more in-depth discussion about this video and other tech topics covered on this channel. Thanks again for watching and look forward to hearing from you.