[Updated on 21 September 2022] LastPass Breach Update
In a blog post, LastPass CEO Karim Toubba writes that the intruders were active in LastPass systems for four days in August. The intruder had access to the Development environment via a compromised developer endpoint and stole source code and proprietary technical information.
- Kudos to LastPass for their transparency around this breach. Many of the headlines surrounding the initial breach talked about customers’ password vault being at risk, which is not the case. While it is not comfortable for LastPass to have their development environment exposed, this case is valuable lesson in ensuring you have the facts in place before deciding on how to respond to a news story.
- Kudos to LastPass for transparency. To include discussion of how they are preventing recurrence. While they have determined no malicious code was introduced into the development environment, the harder part will be determining what, of their code was exfiltrated and how to ensure that code cannot be leveraged to circumvent the security of their products. As such, make sure that you’re watching for and deploying any LastPass updates proactively.
Read more in
- Hacker Accessed LastPass Internal System for 4 Days
- LastPass Found No Code Injection Attempts Following August Data Breach
- LastPass says hackers had internal access for four days
- Notice of Recent Security Incident: Update as of Thursday, September 15, 2022
[Updated on 20 September 2022] LastPass hack update
In another update to its data breach disclosure blog post, password management app LastPass said it completed its investigation into the incident and determined the hacker only had access to its systems for a period of four days in August. The company disclosed the breach on August 25, when it found that one of its developers’ accounts had been compromised via social engineering. Read more: LastPass > Notice of Recent Security Incident
A few weeks ago LastPass disclosed a network intrusion. Now with more details, the password manager company said the attacker “gained access to the development environment using a developer’s compromised endpoint.” It’s not clear how the attacker broke in to the developer’s device — an endpoint could be anything from antivirus to a home router — but the attacker “utilized their persistent access to impersonate the developer once the developer had successfully authenticated using multi-factor authentication.” Since the company doesn’t store master passwords, they’re safe. Not bad as breach notifications go.