LastPass says the attacker behind the August security breach had internal access to the company’s systems for four days until they were detected and evicted.
In an update to the security incident notification published last month, Lastpass’ CEO Karim Toubba also said that the company’s investigation (carried out in partnership with cybersecurity firm Mandiant) found no evidence the threat actor accessed customer data or encrypted password vaults.
“Although the threat actor was able to access the Development environment, our system design and controls prevented the threat actor from accessing any customer data or encrypted password vaults,” Toubba said.
While method through which the attacker was able to compromise a Lastpass developer’s endpoint to access the Development environment, the investigation found that the threat actor was able to impersonate the developer after he “had successfully authenticated using multi-factor authentication.”
After analyzing source code and production builds, the company has also not found evidence that the attacker tried to inject malicious code.
This is likely because only the Build Release team can push code from Development into Production, and even then, Toubba said the process involves code review, testing, and validation stages.
Additionally, he added that the LastPass Development environment is “physically separated from, and has no direct connectivity to” Lastpass’ Production environment.
Following the incident, Lastpass has “deployed enhanced security controls including additional endpoint security controls and monitoring,” as well as additional threat intelligence capabilities and enhanced detection and prevention technologies in both Development and Production environments.
Breach notification delayed for two weeks
This update comes after Lastpass notified users on August 25th that it “recently detected some unusual activities” in its development environment.
The disclosure came after BleepingComputer had learned of the breach from insiders one week before and reached out to the company on August 21st without receiving a reply to questions and requests to confirm the incident.
In the letter sent to customers after BleepingComputer’s emails, Lastpass confirmed it was hacked two weeks before and that the attackers had stolen some source code and proprietary technical information.
“Two weeks ago, we detected some unusual activity within portions of the LastPass development environment,” the company said at the time.
“After initiating an immediate investigation, we have seen no evidence that this incident involved any access to customer data or encrypted password vaults.”
LastPass provides one of the most popular password management software in the world, with the company claiming that it’s used by over 33 million people and 100,000 businesses.