During a hack in August 2022, attackers had access to the LastPass password manager systems for four days.
Enlarge
Lastpass was the victim of a hacker attack in August.
© Lastpass
In August 2022, the makers of the password management software LastPass confirmed that they had been the victim of a hacker attack in the past month. In the past few days, LastPass CEO Karim Toubba has now announced further details about the attack.
Hackers had access for four days
According to Toubba, the investigations are now complete in cooperation with Mandiant’s security experts. The investigations revealed that attackers had access to the LastPass development environment for a period of four days in August 2022. According to LastPass, it can confirm that there is no evidence that
“that this incident involves access to customer data or encrypted password vaults”
, according to a blog post on the developer’s website. In addition, no evidence was found that the hackers had access to the LastPass systems beyond this period.
No access to customer vaults
The hackers managed to get into the development environment via a compromised endpoint. The attackers would have pretended to be developers in the system and were able to log in using successful multi-factor authentication. However, LastPass’s system design prevented the attackers from accessing customer data and encrypted password vaults during the hack. The developers themselves would not have access to the customers’ master passwords and therefore cannot open their safes either.
LastPass improves security controls
be at the examination
“no evidence of attempts at code poisoning or malicious code injection”
been found. To better protect itself in the future, LastPass has partnered with a cybersecurity company and introduced enhanced security controls.
“We recognize that security incidents of any kind are worrying, but we want to reassure you that your personal information and passwords are safe with us,”
Toubba further explains.
