LastPass confirmed: Attackers had access to internal systems for four days

[German]The developers of the web-based password manager online service LastPass announced this week that attackers had access in August 2022 to internal systems for four days. Then the unauthorized access has been detected. However, the attackers probably did not succeed in gaining write access to the development environment and modifying code of the LastPass software or accessing sensitive user data.

The LastPass hack

In late August 2022, password manager online service LastPass informed its users that unauthorized third parties had gained access to its internal development environment. Two weeks prior to this notification, the company had noticed unusual operations in the LastPass development environment. Unauthorized third parties had managed to gain access to parts of the LastPass development environment. I had reported on the incident in the blog post LastPass security incident: Development environment hacked (August 25, 2022).

More details published

Meanwhile, online service LastPass, along with security specialists from Mandiant, conducted a detailed investigation into the incident and released new findings as of Sept. 15, 2022. 

Attack via a compromised developer account

The analysis revealed that the threat actor gained access to the LastPass development environment via a developer's compromised endpoint. Although it is unclear what method the attacker initially used to compromise developer access, it appears certain that only that access was abused. LastPass writes that the threat actor impersonated the developer to successfully log in via multi-factor authentication.

Access for only four days

Subsequently, the attacker used this persistent access to access the development system. The investigation revealed that the attackers only had access to the company's IT systems during a four-day period in August 2022. The LastPass security team detected the threat actor's activities and was subsequently able to contain the incident. 

No sensitive user data accessed

There was no evidence of activity by the threat actor beyond the specified time period, LastPass says. Furthermore, they found no evidence that the intruder was able to gain access to customer data or encrypted password vaults.  This was probably successfully prevented by the system design.

The LastPass development environment is physically separate from and has no direct connection to the production environment. The development environment does not contain any customer data or encrypted vaults.  Further, LastPass does not have access to the master passwords of its customers data safes – without the master password, it is not possible for anyone other than the owner of data safe to decrypt the vault's data. This is part of the LastPass Zero Knowledge security model.

LastPass code integrity assured

One question that remained was whether the code for LastPass could possibly be modified. By separating the development and production environments, attackers could not access the production system.

To verify the integrity of the code, an analysis of the source code and production builds was performed. No evidence of attempts at code poisoning or malicious code injection was found. Developers do not have the ability to transfer source code from the development environment to the production environment. This ability is limited to a separate build-release team and can only happen after completing rigorous code review, testing and validation processes. It looks like LastPass got off with a "black eye." The design of the development and production environments has also contributed to this. (via)