Security News > 2022 > September > Hackers Had Access to LastPass's Development Systems for Four Days

Password management solution LastPass shared more details pertaining to the security incident last month, disclosing that the threat actor had access to its systems for a four-day period in August 2022.

"There is no evidence of any threat actor activity beyond the established timeline," LastPass CEO Karim Toubba said in an update shared on September 15, adding, "There is no evidence that this incident involved any access to customer data or encrypted password vaults."

LastPass in late August revealed that a breach targeting its development environment resulted in the theft of some of its source code and technical information, although no further specifics were offered.

While the exact method of initial entry remains "Inconclusive," LastPass noted the adversary abused the persistent access to "Impersonate the developer" after the victim had been authenticated using multi-factor authentication.

This includes the complete separation of development and production environments and its own inability to access customers' password vaults without the master password set by the users.

Last but not least, LastPass noted that it has engaged the services of a "Leading" cybersecurity firm to enhance its source code safety practices and that it has deployed additional endpoint security guardrails to better detect and prevent attacks aimed at its systems.

News URL

https://thehackernews.com/2022/09/hackers-had-access-to-lastpasss.html