LastPass says the attacker behind the August security breach had internal access to company systems for four days until he was detected and kicked.
In an update to the security incident notification issued last month, Lastpass CEO Karim Toubba also said the company’s investigation (conducted in partnership with cybersecurity firm Mandiant) did not found no evidence that the threat actor accessed customer data or encrypted password vaults.
“Although the malicious actor was able to gain access to the development environment, our system design and controls prevented him from accessing customer data or encrypted password vaults,” Toubba said. . said.
While the method by which the attacker was able to compromise a developer’s Lastpass endpoint to access the development environment, investigation revealed that the threat actor was able to impersonate the developer after he “successfully authenticated using multi-factor authentication”.
After analyzing the source code and production versions, the company also found no evidence that the attacker attempted to inject malicious code.
That’s likely because only the Build Release team can push code from development to production, and even then, Toubba said the process involves code review, testing, and validation stages.
Toubba added that Lastpass has “deployed enhanced security controls, including additional endpoint security controls and monitoring,” as well as additional threat intelligence capabilities and enhanced detection and prevention technologies across devices. development and production environments.
Notice of breach delayed two weeks
This update comes after Lastpass notified users on August 25 that it “recently detected some unusual activity” in its development environment.
The disclosure came after BleepingComputer learned of the breach from insiders a week prior and contacted the company on August 21 without receiving a response to questions and requests to confirm the incident.
In the letter sent to customers after the BleepingComputer emails, Lastpass has confirmed that it has been hacked two weeks prior and that the attackers had stolen source code and proprietary technical information.
“Two weeks ago, we detected unusual activity in certain parts of the LastPass development environment,” the company said at the time.
“After launching an immediate investigation, we have seen no evidence that this incident involved access to customer data or encrypted password vaults.”
LastPass provides one of the most popular password management software in the world, with the company claiming it’s used by over 33 million people and 100,000 businesses.