According to the company, the hacker who recently gained access to LastPass lingered on the network for days before being discovered and stopped.
According to a blog post by the CEO of the password manager, Karim Toubba, the hacker stayed on the compromised network for about four days.
The investigation has revealed that the attacker did not have access to any encrypted password vaults or customer data during that time.
Attack on LastPass
Despite having access to the development environment, Toubba said that the threat actor was unable to access any customer data or encrypted password vaults due to the system’s design and controls.
It appears that the attacker used a developer’s compromised endpoint to gain access to the organization’s development environment.
Toubba stated that after successfully authenticating with MFA, the attackers used their persistent access to pretend to be the developer. However, the investigation and forensics were unable to identify the precise technique used for the initial endpoint compromise.
Code is secure
The fact that only the Build Release team has the ability to push code from Development into Production may be the reason why LastPass claimed there was no evidence of the threat actor trying to inject malicious code. Toubba continued by saying that the code still requires review, testing, and validation. Toubba added that the LastPass Development environment and the Production environment are “physically separated.”
LastPass implemented “enhanced security controls including additional endpoint security controls and monitoring,” in addition to more threat intelligence features and improved detection and prevention technologies, to ensure that an incident like this one does not happen again. Both the development and production environments employed these technologies.
The business noticed “unusual activity” toward the end of last month, and after looking into it, found a security breach.
No end users were required to take any action because the initial investigation found no proof that threat actors had accessed customer data or password vaults.