LastPass reveals details of August hack that gave threat actor access to its development environment for four days

Last month, LastPass suffered a cyberattack and the company shared some details about what had happened shortly afterwards. Now, having conducted further investigations, more information has been revealed including the fact that the attacker had access to the LastPass development environment for four days.

The company concedes that it is not clear how the attacker was able to gain access but says: "the threat actor utilized their persistent access to impersonate the developer once the developer had successfully authenticated using multi-factor authentication". LastPass has also revealed the impact of the four-day security incident in the name of providing "transparency and peace-of-mind to [its] consumer and business communities".

See also:

• Microsoft Teams for Windows, macOS and Linux insecurely stores authentication tokens in unprotected cleartext -- and a fix is NOT in the pipeline
• Uber suffers 'cybersecurity incident' with hackers gaining access to internal systems and vulnerability reports
• Microsoft issues patch for serious security vulnerability affecting everything from Windows 7 to Windows 11

In an update to the blog post from the end of August, LastPass CEO Karim Toubba says: " We have completed the investigation and forensics process in partnership with Mandiant. Our investigation revealed that the threat actor's activity was limited to a four-day period in August 2022. During this timeframe, the LastPass security team detected the threat actor’s activity and then contained the incident.  There is no evidence of any threat actor activity beyond the established timeline. We can also confirm that there is no evidence that this incident involved any access to customer data or encrypted password vaults".

Toubba continues:

Our investigation determined that the threat actor gained access to the Development environment using a developer’s compromised endpoint. While the method used for the initial endpoint compromise is inconclusive, the threat actor utilized their persistent access to impersonate the developer once the developer had successfully authenticated using multi-factor authentication. 

Although the threat actor was able to access the Development environment, our system design and controls prevented the threat actor from accessing any customer data or encrypted password vaults. 

While it is clearly good news to hear that customer data can not been compromised, there are still lots of questions to be answered. LastPass has not shared details of who it believes to have been responsible -- perhaps because it simply does not know. Customers and business partners alike will have questions and concerns about how any attack could last for so long before it was detected and action was taken.

In a bid to assuage concerns, Toubba says:

Firstly, the LastPass Development environment is physically separated from, and has no direct connectivity to, our Production environment. Secondly the Development environment does not contain any customer data or encrypted vaults.  Thirdly, LastPass does not have any access to the master passwords of our customers’ vaults – without the master password, it is not possible for anyone other than the owner of a vault to decrypt vault data as part of our Zero Knowledge security model. 

You can read the CEO's update to the initial blog post in full here.

Image credit: monticello / depsitphotos