Password management solution LastPass has confirmed that the company was hacked and the hackers had access to its development system for four days. The company stated in a blog post that nearly two weeks back, it detected some “unusual activity” in portions of its “LastPass development environment”, and immediately carried out an investigation for the same.
As per the company’s reports, the hackers likely gained access to some of its source code through “a single compromised developer account”. The hackers were able to compromise a company developer’s endpoint to gain access to the Development environment, impersonating the developer after he “authenticated using multi-factor authentication,” which allowed them to get hold of some of the source code and “some proprietary LastPass technical information”. However, the company claims that no user data was compromised during the action.
The company states that all of its “products and services are operating normally.” The Investigation for the hack is still ongoing and the company states that it has “implemented additional enhanced security measures.”
LastPass CEO Karim Toubba stated that “There is no evidence of any threat actor activity beyond the established timeline […] there is no evidence that this incident involved any access to customer data or encrypted password vaults”.
The company restated that despite the unauthorized access, the hacker did not succeed in getting hold of any sensitive user data owing to system design and zero trust access (ZTA) is put in place to avert such incidents in the future.
ZTA includes complete segregation of the Development and Production environment and the company’s own inability to access any of its customer’s password vaults without the master password set by the customers. “Without the master password, it is not possible for anyone other than the owner of a vault data,” the CEO stated.
Lastly, LastPass also mentioned that it has restored to the services of a leading cybersecurity firm to enhance its source code safety practices and will ensure its system’s security, deploying additional endpoint security guardrails in both Development and Production environments to better detect and prevent any attack aiming at its systems.