LastPass Hacked – Attackers Had Access to Internal Systems for Four Days

In Cybersecurity News - Original News Source is by Blog Writer

Post Sharing
Password Manager ‘LastPass’ notified its customers of the recent security incident targeting development environment, in which some of their source code and technical information was taken. Specifically, the attackers had access to its internal systems for a four-day period in August 2022.

“There is no evidence of any threat actor activity beyond the established timeline. We can also confirm that there is no evidence that this incident involved any access to customer data or encrypted password vaults” LastPass CEO Karim Toubba said.

Hackers Gained Internal Access for Four Days

The reports say the attackers gained to the ‘Development environment’ using a developer’s compromised endpoint. The accurate method of initial entry remains ‘inconclusive’, the attacker utilized their persistent access to ‘impersonate the developer’ once the developer had been authenticated using multi-factor authentication.

“Although the threat actor was able to access the Development environment, our system design and controls prevented the threat actor from accessing any customer data or encrypted password vaults”, LastPass

Generally, the company’s Development environment has no direct connectivity to their Production environment and the company says the Development environment does not include any customer data or encrypted vaults.

Further, the company does not have any access to the master passwords of the customers’ vaults.

“Without the master password, it is not possible for anyone other than the owner of a vault to decrypt vault data as part of our Zero Knowledge security model”. LassPass explains.

Notably, the company confirms that there is no evidence of ‘code-poisoning’ or ‘malicious code injection’, during code integrity check. Also, developers do not have permission to to push source code from the Development environment into Production.

To improve the existing source code safety practices, LastPass says they have partnered with a leading cyber security firm. This includes secure software development life cycle processes, threat modelling, and vulnerability management and bug bounty programs.

Finally, LastPass ensures to deploy enhanced security controls, additional threat intelligence capabilities and enhanced detection and prevention technologies in both our Development and Production environments.“We recognize that security incidents of any sort are unsettling but want to assure you that your personal data and passwords are safe in our care”, LastPass.