Hackers had internal access to LastPass for four days


By MYBRANDBOOK


Hackers had internal access to LastPass for four days

Sharing more details about the security incident last month, password management solution LastPass disclosed that the threat actor had access to its systems for a four-day period in August 2022.

 

The company completed the investigation into the hack in partnership with incident response firm Mandiant, further adding that the access was achieved using a developer’s compromised endpoint. The threat actor utilised their persistent access to impersonate the developer once the developer had successfully authenticated using multi-factor authentication.

 

LastPass CEO Karim Toubba said, “Our investigation revealed that the threat actor’s activity was limited to a four-day period in August 2022. During this timeframe, the LastPass security team detected the threat actor’s activity and then contained the incident. There is no evidence of any threat actor activity beyond the established timeline, there is no evidence that this incident involved any access to customer data or encrypted password vaults.”

 

The CEO said that LastPass does not have any access to the master passwords of its customers’ vaults. “Without the master password, it is not possible for anyone other than the owner of a vault to decrypt vault data as part of our Zero Knowledge security model,” he said.

 

As informed earlier, the attacker failed to obtain any sensitive customer data owing to the system design and zero trust controls put in place to prevent such incidents. It also said it conducted source code integrity checks to look for any signs of poisoning and that developers do not possess the requisite permissions to push source code directly from the development environment into production.

 E-Magazine 
 VIDEOS  Placeholder image

Copyright www.mybrandbook.co.in @1999-2024 - All rights reserved.
Reproduction in whole or in part in any form or medium without express written permission of Kalinga Digital Media Pvt. Ltd. is prohibited.
Other Initiatives : www.varindia.com | www.spoindia.org