LastPass notified customers of a security breach in August 2022 on the company’s official blog. This week, following its investigation, the company released additional information about the hack.
As early as August 2022, LastPass informed customers that unusual activity had been detected in the development environment. It quickly became apparent that a third party was able to gain access to “parts of the development environment” via a hacked developer account.
The attacker received “parts of source code and some proprietary technical information from LastPass,” but was unable to access production environments or customer data.
LastPass asked cybersecurity and forensics company Mandiant to help them investigate the incident. The September 2022 update reveals more details about the security incident.
According to LastPass, the attacker gained access to the development environment for a period of 4 days in August. When LastPass Security discovered the incident, it was immediately contained.
No evidence was found that the threat actor had access beyond the 4 day period. The attacker had no access to customer data and encrypted vaults.
The attacker gained access through a compromised developer account. The account was protected with multi-factor authentication. Developer accounts are restricted to the development environment, which prevented the attacker from accessing customer data, encrypted vaults, or production environments. According to LastPass, development environments do not have access to customer data.
Forensic scientists analyzed the source code and production builds to determine if there had been any tampering over the four-day period. According to LastPass, “no evidence of attempts at code poisoning or malicious code injection” was found.
For security reasons, developers have no direct way to move source code from development to production. A separate build-release team is responsible for this, which checks, tests and validates sources and changes.
LastPass announced that security has been improved as a result.
As part of our risk management program, we’ve also partnered with a leading cybersecurity company to further enhance our existing source code security practices, which include secure software development lifecycle processes, threat modeling, vulnerability management, and bug bounty programs.
In addition, we have implemented enhanced security controls, including additional endpoint security controls and monitoring. We’ve also deployed additional threat intelligence capabilities and enhanced detection and prevention technologies in both our development and production environments.
An attacker gained access to the LastPass development environment, but neither changed the source code nor gained access to customer data. However, source code and technical information have been accessed and preserved.
Now you: Which password management service do you use, if any? (via Born)
LastPass provides details on the August 2022 hack
LastPass released additional information on the August 2022 security incident after conducting a forensic analysis of the security breach.
Ghacks technology news