Attacker Had Access to LastPass for Four Days During August Breach
Industry: Technology | Level: Strategic | Source: Lastpass - Blog
LastPass has completed its investigation with Mandiant into the company's security breach reported on August 25th, 2022. CEO Karim Toubba reported the findings on the company's blog stating the threat actor had compromised a developer's account with access to a development environment for four days. Toubba asserts customer data and encrypted password vaults were not impacted. The method in which the threat actor compromised the developer's account remains undetermined, nevertheless "the threat actor utilized their persistent access to impersonate the developer once the developer had successfully authenticated using multi-factor authentication." System designs separating the production and development environments along with security practices to not house customer data within Development prevented the threat actor from moving laterally and compromising client data. Additionally, Toubba maintains confidence in LastPass master password implementation, "LastPass does not have any access to the master passwords of our customers’ vaults – without the master password, it is not possible for anyone other than the owner of a vault to decrypt vault data as part of our Zero Knowledge security model." Threat actor activity did not span past the four-day window identified by LastPass and Mandiant. Analysis of the company's source code data found no evidence to indicate code-poisoning or malicious code injection attempts from the attacker. Toubba assures us the company has reinforced and enhanced security controls.