Just three weeks ago LastPass admitted on August 25 that they had suffered a security breach, and that unauthorized third parties had managed to hack the system and have access to sensitive information. A thorough investigation of the incident then began, of which the CEO of the company offered more information a few days ago by publishing a statement on his website.
The statement ensures that the attackers were unable to access user data, so the information of those who use this popular password manager has not been compromised. Of course, it is confirmed that the criminals gained access to the company’s systems for four days, during which they gained access to various systems, technical information and even the source code of the program.
Access, yes, was limited to the development environment of the password management service, which has nothing to do with user data. On the other hand, not even LastPass has access to users’ master passwords, which are needed to decrypt their data.
The company has counted on the investigation with the support from Mandiant security experts, and apart from the data mentioned, it has established that the access system used by the attacker was a developer’s computer. The investigation has not been able to determine what method the attacker used to access the developer’s systems.
After gaining access to their systems, he tricked third parties into thinking it was him after successfully accessing the developer’s system, despite having multi-factor authentication enabled.
LastPass has also done an integrity check of its source code. To do this, they analyzed it, along with the versions of it that are in production. The result of the analysis indicates that there is no evidence of malicious code injection attempts or code corruption.
In addition, the company has ensured that developers do not have the ability to pass the source code from the development environment to the production environment. This capability is limited to a team dedicated to release builds, and can only happen after rigorous code review, testing, and multiple validation processes.