LastPass says password vaults untouched in security breach
LastPass says the attacker responsible for a security incident in August 2022 only has access to its systems for four days.
The company added that the incident was limited to the LastPass development environment, which has no direct connectivity to its production environment.
“We have completed the investigation and forensics process in partnership with Mandiant,” LastPass said.
“Our investigation revealed that the threat actor’s activity was limited to a four-day period in August 2022.”
“During this timeframe, the LastPass security team detected the threat actor’s activity and then contained the incident,” it added.
The company said no customer data or encrypted password vaults had been compromised because of the lack of direct connectivity between its development and production environments.
“Firstly, the LastPass Development environment is physically separated from, and has no direct connectivity to, our Production environment,” LastPass said.
“Secondly, the Development environment does not contain any customer data or encrypted vaults.”
It added that LastPass doesn’t have access to the master passwords of its customers’ vaults.
“Without the master password, it is not possible for anyone other than the owner of a vault to decrypt vault data as part of our Zero Knowledge security model.”
LastPass notified customers of the security incident on Thursday, 25 August 2022.
A preliminary investigation determined that an “unauthorised party” accessed its developer environment, the software employees use to build and maintain LastPass’s product.
The perpetrators were able to gain access through a single compromised developer’s account, the company said.
Loading ...