LastPassarguably the most popular password manager, admitted last month that it had been hacked, although it said it found no evidence that customer data or encrypted password vaults had been compromised.
Almost a month later, the company via its official blog shared more information about the cyber attack it received, highlighting among other things that the attacker managed to gain access to the LastPass development environment for four days. While he acknowledges what happened, he still hasn’t finished explaining exactly how it happened.
LastPass revealed via an official blog post update that a malicious actor managed to impersonate a developer after the developer successfully authenticated through a multi-factor process. In addition, he says that he disclosed some details to offer transparency to his user communities and companies, and that is that obscurantism many times ends up creating more distrust than anything else.
An update to the official blog post, signed by Karim Toubba, CEO of LastPass, states that “in collaboration with Mandiant, we have completed the forensic investigation and analysis process. Our investigation revealed this Threat actor activity was limited to a four-day period in August 2022. During this period, the LastPass security team detected the threat actor’s activity and then contained the incident. There is no evidence of any threat activity outside of the established timeline. We can also confirm that there is no evidence that this incident involved any access to customer data or encrypted password vaults.”
“Our investigation determined that a threat actor gained access to the development environment using a compromised developer endpoint. While the method used to compromise the endpoint is inconclusive, a threat actor used their persistent approach to impersonate a developer once the developer successfully authenticated using multi-factor authentication. Although the threat actor had access to the development environment, our system design and controls prevented the threat actor from accessing customer data or encrypted password vaults.”
LastPass explains it the development environment is physically separate and has no direct connectivity to the production environment, so the malicious player could not access the password manager’s user data. Despite everything, and in the event that you do not do so after discovering the incident, we recommend that you change the password of the vault as soon as possible, and in case of complete loss of trust in LastPass, the user can look at these open code alternatives.
