“There is no evidence of any threat actor activity beyond the established timeline. We can also confirm that there is no evidence that this incident involved any access to customer data or encrypted password vaults” LastPass CEO Karim Toubba said.
Hackers Gained Internal Access for Four Days
The reports say the attackers gained to the ‘Development environment’ using a developer’s compromised endpoint. The accurate method of initial entry remains ‘inconclusive’, the attacker utilized their persistent access to ‘impersonate the developer’ once the developer had been authenticated using multi-factor authentication.
“Although the threat actor was able to access the Development environment, our system design and controls prevented the threat actor from accessing any customer data or encrypted password vaults”, LastPass
Generally, the company’s Development environment has no direct connectivity to their Production environment and the company says the Development environment does not include any customer data or encrypted vaults.
Further, the company does not have any access to the master passwords of the customers’ vaults.
“Without the master password, it is not possible for anyone other than the owner of a vault to decrypt vault data as part of our Zero Knowledge security model”. LassPass explains.
Notably, the company confirms that there is no evidence of ‘code-poisoning’ or ‘malicious code injection’, during code integrity check. Also, developers do not have permission to to push source code from the Development environment into Production.
To improve the existing source code safety practices, LastPass says they have partnered with a leading cyber security firm. This includes secure software development life cycle processes, threat modelling, and vulnerability management and bug bounty programs.
Finally, LastPass ensures to deploy enhanced security controls, additional threat intelligence capabilities and enhanced detection and prevention technologies in both our Development and Production environments.“We recognize that security incidents of any sort are unsettling but want to assure you that your personal data and passwords are safe in our care”, LastPass.