LastPass confirms hackers had access to internal systems for several days

LastPass
(Image credit: LastPass)

The attacker that recently breached LastPass lurked around the network for days before being spotted and eliminated, the company has confirmed. 

A blog post published by the password manager's CEO Karim Toubba revealed that the attacker spent some four days on the compromised network. 

During that time, though, the attacker did not access customer data, or encrypted password vaults, the investigation has shown. 

LastPass attack

"Although the threat actor was able to access the Development environment, our system design and controls prevented the threat actor from accessing any customer data or encrypted password vaults," Toubba said.

The attacker was apparently able to access the company’s Development environment through a developer’s compromised endpoint

The investigation and forensics did not manage to determine the exact method used for the initial endpoint compromise, Toubba did say the attackers utilized their persistent access to impersonate the developer after successfully authenticating with MFA.

Code is safe

LastPass also said there was no evidence of the threat actor trying to inject malicious code, probably because the Build Release team is the only one that can push code from Development into Production. Even then, Toubba added, the code needs to be reviewed, tested, and validated. What’s more, Toubba said that the LastPass Development environment is “physically separated” from the Production environment. 

To ensure an incident like this one does not repeat, LastPass deployed “enhanced security controls including additional endpoint security controls and monitoring," together with extra threat intelligence features and enhanced detection and prevention technologies. These technologies were deployed in both the Development and Production environment. 

Late last month, the company spotted “unusual activity” and, following an investigation, discovered a security compromise. 

The initial investigation found no evidence of threat actors accessing customer data or password vaults, meaning no action from end users was required. 

Sead Fadilpašić

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.