In a latest statement, Karim Toubba, CEO of LastPass admitted that the security breach in August had internal access to the company’s systems for four days until they were detected and evicted.
“Our investigation revealed that the threat actor’s activity was limited to a four-day period in August 2022. During this timeframe, the LastPass security team detected the threat actor’s activity and then contained the incident,” Toubba said.
The investigation found that the threat actor gained access to the platform’s development environment using a developer’s compromised endpoint.
The threat actor utilised their persistent access to impersonate the developer once the developer had successfully authenticated using multi-factor authentication.
“Although the threat actor was able to access the Development environment, our system design and controls prevented the threat actor from accessing any customer data or encrypted password vaults,” said the CEO.
Discover the stories of your interest
LastPass is a freemium password manager that stores encrypted passwords online.
The CEO said that LastPass does not have any access to the master passwords of its customers’ vaults.
“Without the master password, it is not possible for anyone other than the owner of a vault to decrypt vault data as part of our Zero Knowledge security model,” he mentioned.
The company said it has deployed enhanced security controls, including additional endpoint security controls and monitoring after the incident.