The malicious user had inside access to LastPass for four days.
LastPass’ server was hacked in August. The firm has informed customers that neither their personal information nor login passwords were stolen in the attack.
LastPass CEO Karim Toubba just delivered an update. According to an examination by the corporation and cybersecurity firm Mandiant, the bad actor had four days of inside access.
The attackers stole the password manager’s source code and technical details by accessing its development environment.
This environment isn’t linked to client vaults or data. Toubba said that LastPass does not know its clients’ master passwords.
According to the chief executive officer, there is “no evidence” that “any access to customer data or encrypted password vaults” was engaged in this occurrence.
CEO stressed this. After four days, they found no indication that the hacker had introduced harmful code or gained unauthorized access.
Toubba said that the attacker was able to exploit a weakness in a developer’s endpoint in order to obtain access to the service’s network.
The identity of the developer was successfully assumed by the hacker after the hacker “effectively confirmed as the developer using multi-factor authentication.”
A data breach occurred in 2015, and as a result, users of LastPass had their email addresses, authentication hashes, and password reminders taken.