No Customer Data or Encrypted Password Vaults Were Breached in LastPass Incident
Hackers Had Access to Company’s Systems During Four Days.
In an update to the notification regarding the cyberattack suffered in August, LastPass, one of the most widely used password management programs in the world, shared the conclusion of the investigation following the attack.
The company’s investigation was performed in conjunction with cybersecurity firm Mandiant and shows that the threat actors had had access to the LastPass internal systems for four days until they were discovered and removed.
What Data Was in Hacker’s Reach and What Did Not
LastPass’ CEO, Karim Toubba, said that the investigation revealed no proof the threat actor accessed customer data or encrypted password vaults and was confined to the LastPass Development environment.
There is no evidence of any threat actor activity beyond the established timeline. We can also confirm that there is no evidence that this incident involved any access to customer data or encrypted password vaults.
Cybercriminals managed to exfiltrate some source code and proprietary technical information, as previously announced.
The cybercriminal penetrated the Development environment using a compromised endpoint. Hacker impersonated a developer once the developer logged in. We still don’t know how the endpoint was compromised.
Another good news is that the cybercriminal did not inject any malicious code during the attack, as the investigation shows after evaluating source code and production builds.
This is because “developers do not have the ability to push source code from the Development environment into Production. This capability is limited to a separate Build Release team and can only happen after the completion of rigorous code review, testing, and validation processes”, Karim Toubba explained.
New Security Measures for LastPass
After this attack the company implemented a series of measures to boost its defense in front of cybercriminals in partnership with a cybersecurity firm.
As part of our risk management program, we have also partnered with a leading cyber security firm to further enhance our existing source code safety practices which include secure software development life cycle processes, threat modeling, vulnerability management and bug bounty programs.
LastPass also announced that it has strengthened endpoint and monitoring security controls, along with investing in detection and prevention technologies in both Development and Production environments.
LastPass claims to have 33 million customers and 100,000 businesses using its password management software.
UPDATE: Threat Actor Gains Access to Customers’ Information
On November 30, 2022, LastPass gave its customers an update on the situation. The company detected unusual activity withing a third-party cloud storage service, currently shared by LastPass and its affiliate, GoTo.
Informing email sent by LastPass to its customers
The competent law enforcement have been informed about the incident, and an investigation has been immediately launched alongside security firm Mandiant. The unauthorized actor is using information obtained in the August 2022 incident, and so gained access to certain elements of customers’ information.
LastPass ensured their customers that their passwords are safe from the threat actors, due to their encryption procedure.
We are working diligently to understand the scope of the incident and identify what specific information has been accessed…As part of our efforts, we continue to deploy enhanced security measures and monitoring capabilities across our infrastructure to help detect and prevent further threat actor activity.
Karim Toubba, LastPass CEO
In the meantime, LastPass’s products and services remain fully functional. “We thank you for your patience while we work through our investigation.”, declared the CEO of the company.