LastPassarguably the most popular password manager, acknowledged last month that it had been hacked, although, according to its version, it found no evidence that customer data or encrypted password vaults had been compromised.
Almost a month later, the company has shared more information about the cyberattack it received through its official blog, highlighting, among other things, that the attacker managed to gain access to the LastPass development environment for four days. Although he acknowledges what happened, he still hasn’t finished explaining exactly how it happened.
LastPass has exposed via an update to the official blog post that the malicious actor managed to impersonate a developer after the developer successfully authenticated through the multi-factor process. In addition, he says that he has exposed some details in order to offer transparency to their user communities and companies, and that is that obscurantism often ends up generating more mistrust than anything else.
The update to the official blog post, signed by Karim Toubba, CEO of LastPass, states that “we have completed the forensic investigation and analysis process in partnership with Mandiant. Our investigation revealed that threat actor activity was limited to a four-day period in August 2022. During this period, the LastPass security team detected threat actor activity and then contained the incident. There is no evidence of any threat actor activity beyond the established timeline. We can also confirm that there is no evidence that this incident involved any access to customer data or encrypted password vaults.”
“Our investigation determined that the threat actor gained access to the development environment using a developer’s compromised endpoint. While the method used to compromise the endpoint is inconclusive, the threat actor used his persistent login to impersonate the developer once the developer successfully authenticated using multi-factor authentication. Although the threat actor was able to access the development environment, our system design and controls prevented the threat actor from accessing customer data or encrypted password vaults.”
LastPass explains that the development environment is physically separate and does not have direct connectivity to the production environment, so the malicious actor has not been able to access password manager user data. In spite of everything, and in case of not having done it after the incident came to light, we recommend changing the password of the vault as soon as possible, and in case of having completely lost confidence in LastPass, the user can look at these code alternatives open.