Last month , LastPass suffered a cyber attack The company shared some details about what happened shortly after that. Now, after further investigations, more information has been revealed including the fact that the attacker had access to the LastPass development environment for four days.
The company acknowledges that it is not clear how the attacker gained access, but says: “The threat actor used his persistent access to impersonate the developer once the developer had successfully authenticated using multifactor authentication.” LastPass also revealed the impact of the four-day security incident in the name of providing “transparency and peace of mind to [its] Consumer and Business Communities”.
In an update to the blog post from the end of August, LastPass CEO Karim Touba said: “We have completed an investigation and forensic process in partnership with Mandiant. Our investigation revealed that the threat actor’s activity was limited to a four-day period in August 2022. During This time frame, LastPass security team detected the actor’s activity and then contained the incident. There is no evidence of any threat actors’ activity beyond the specified timeline. We can also confirm that there is no evidence that this incident involved any access to customer data or password vaults. encrypted traffic”.
Our investigation found that the threat actor gained access to the development environment using the compromised developer endpoint. Although the method used for the initial endpoint compromise is inconclusive, the threat actor has used their persistent access to impersonate the developer once they have successfully authenticated the developer using multi-factor authentication.
Although the threat actor was able to access the development environment, the design and controls of our system prevented the threat actor from accessing any client data or encrypted password stores.
While it’s obviously good news to hear that customer data can’t be hacked, there are still plenty of questions to answer. LastPass hasn’t shared details about who it thinks is responsible – perhaps because they simply don’t know. Customers and business partners alike will have questions and concerns about how an attack can last so long before it is detected and action is taken.
In an effort to allay fears, Toba says:
First, the LastPass development environment is physically separated from our production environment and has no direct connection to it. Second, the development environment does not contain any client data or encrypted vaults. Third, LastPass has no access to the master passwords of our customers’ vaults – without the master password, no one other than the vault owner can decrypt the vault data as part of the zero-knowledge security model.
You can read the full CEO update of the initial blog post over here.