Password management solution LastPass shared more details about the security breach that the company suffered in August 2022. The company revealed that the threat actor had access to its network for four days in August 2022.
LastPass CEO Karim Toubba explained that there is no evidence that the attackers had access to customer data.
“We have completed the investigation and forensics process in partnership with Mandiant. Our investigation revealed that the threat actor’s activity was limited to a four-day period in August 2022. During this timeframe, the LastPass security team detected the threat actor’s activity and then contained the incident.” reads the Notice of Recent Security Incident published by the company. “There is no evidence of any threat actor activity beyond the established timeline. We can also confirm that there is no evidence that this incident involved any access to customer data or encrypted password vaults.”
The investigation, conducted with the help of Mandiant, allowed the company to determine that the attackers gained access to the Development environment using a developer’s compromised endpoint.
LastPass added that the Development environment has no direct connectivity to the Production environment.
The threat actors gained access to the Development environment using a developer’s compromised endpoint.
“While the method used for the initial endpoint compromise is inconclusive, the threat actor utilized their persistent access to impersonate the developer once the developer had successfully authenticated using multi-factor authentication.” continues the notice.
The intruders exploited the persistent access to impersonate the developer after the victim had been authenticated using multi-factor authentication.
“Firstly, the LastPass Development environment is physically separated from, and has no direct connectivity to, our Production environment. Secondly the Development environment does not contain any customer data or encrypted vaults. Thirdly, LastPass does not have any access to the master passwords of our customers’ vaults – without the master password, it is not possible for anyone other than the owner of a vault to decrypt vault data as part of our Zero Knowledge security model.” states the notice.
The company pointed out that the attackers did not have access to the master passwords of its customers’ vaults because they haven’t access to them, which means that only the owner of a vault can decrypt vault data.
The company performed a check of its source code to verify its integrity after the attack, it added that developers cannot push source code directly from the development environment into production.
The company also hired a leading cyber security firm to further enhance the source code safety practices adopted by the company.