14 DAY TRIAL // LastPass has provided more information on the security incident that was discovered earlier this year, and in an update published this week, the company says that it was managed to confirm that hackers accessed its systems for just 4 days.
The whole thing happened in August 2022, LastPass says, and once again, it hasn’t found any evidence that the malicious actors accessed any customer data or encrypted password vaults.
By the looks of things, the breach was possible after the hackers managed to compromise the system of a developer.
“Our investigation determined that the threat actor gained access to the Development environment using a developer’s compromised endpoint. While the method used for the initial endpoint compromise is inconclusive, the threat actor utilized their persistent access to impersonate the developer once the developer had successfully authenticated using multi-factor authentication,” LastPass explains.
No customer data exposed during the attack
As for how the customer data remained secure during this whole time, it’s all because the Development environment isn’t in any way connected to the other environments that the company uses.
“Firstly, the LastPass Development environment is physically separated from, and has no direct connectivity to, our Production environment. Secondly the Development environment does not contain any customer data or encrypted vaults. Thirdly, LastPass does not have any access to the master passwords of our customers’ vaults – without the master password, it is not possible for anyone other than the owner of a vault to decrypt vault data as part of our Zero Knowledge security model,” it says.
Needless to say, LastPass has also put additional security protections in place, so for instance, it’s using additional endpoint security controls and monitoring. In other words, breaking into the endpoints used by LastPass developers should now technically be more difficult, therefore reducing the likelihood of another major breach.