Hacker Accessed LastPass Internal System for 4 DaysCompany's Source Code, Proprietary Data Stolen in August Breach
Password manager LastPass says the attackers behind the August security incident had access to its systems for four days.
LastPass CEO Karim Toubba, sharing details about last month's breach, confirms that there is no evidence of any threat actor activity beyond the established timeline.
"We can also confirm that there is no evidence that this incident involved any access to customer data or encrypted password vaults," Toubba says.
In August, an unknown threat actor gained unauthorized access to the source code and proprietary technical information of LastPass (see: Hacker Steals Source Code, Proprietary Data From LastPass).
The breach investigation was carried out in partnership with cybersecurity firm Mandiant and uncovered that the threat actor's activity was limited to a four-day period until the incident was contained.
Further investigation from LastPass and Mandiant determined that the threat actors gained access to the development environment using a developer's compromised endpoint.
"While the method used for the initial endpoint compromise is inconclusive, the threat actor utilized their persistent access to impersonate the developer once the developer had successfully authenticated using multifactor authentication," Toubba says.
Toubba acknowledges that the threat actor was able to access the development environment but failed to access any customer data or encrypted password vaults.
Toubba also says that the LastPass development environment is physically separated from other environments, including the production area, and has no customer data or encrypted vaults.
The notification also says that the company does not have access to the master passwords used by the customers, and without having the master password, no one can decrypt vault data as part of the company's "zero-knowledge security model."
The company confirms that its code remains intact, and there is no evidence of code poisoning or malicious code injection.
"Developers do not have the ability to push source code from the Development environment into Production. This capability is limited to a separate Build Release team and can only happen after the completion of rigorous code review, testing and validation processes," Toubba says.
LastPass also partnered with an unnamed cybersecurity firm to further enhance its source code safety practices, including secure software development life cycle processes, threat modeling, vulnerability management and bug bounty programs as part of its risk management program.
The company says it deployed additional security controls including extra endpoint security controls and monitoring and deployed threat intelligence capabilities as well as enhanced detection and prevention technologies for development and production environments.
This isn't the first time LastPass has been a target for hackers, including a 2015 incident in which attackers make off with usernames and hashed master passwords (see: LastPass Sounds Breach Alert).
Security experts continue to recommend password managers as a best practice. A 2019 study found password strength increases significantly when users use an application to manage passwords.