At the end of August, LastPass reported that they had been hacked. Later the same blog post was updated with additional detail. The investigation process performed by Lastpass in partnership with Mandiant helped them understand the attack's timeframe and target.
According to the provided information, the malicious activity lasted only about four days in August and stopped once the LastPass security team managed to contain the incident.
The attacker used to access through a compromised developer’s endpoint and managed to access the Development environment. However, the environment didn’t contain any data that belonged to customers, and according to the company’s reports, is physically separated from the Production environment. Also, LastPass insists that due to their Zero Knowledge security model, they do not have access to the master passwords of their clients. And it is impossible to decrypt the data without master passwords.
Also, the code analysis was performed to detect any possible attempts of malicious code injection. The team didn’t detect any. Also, there was no chance to get the possibly modified code uploaded onto the Production environment since developers do not have such permission. The environment can be updated only by a separate release team and performed only after a code review, testing, and validation.
In addition, LastPass CEO Karim Toubba mentioned that the team deployed additional security and monitoring measures to prevent any incidents in the future.
Image Credit: Photo by Paulius Dragunas on Unsplash