The company updated the statement about the security incident it suffered in August and confirmed that the people behind the attack had access to part of its systems for four days.
At the end of August, news broke that the password manager LastPass had suffered a security incident and that malicious actors accessed their systems and stole part of their source code. But in one September 15 update In the statement, LastPass reported that after completing the investigation and forensic process, it was learned that the attackers had access to their systems for four days until they were detected.
In this way, the company confirmed that they were able to prevent the people behind the attack from having access to sensitive information and assured that according to the investigation there is no evidence that they have accessed the encrypted passwords of those who use this password manager. Likewise, the company clarified that this information on clients is separate and has no connection with the development area, which was the one to which they gained access.
It was also reported that the attackers compromised the computer of a company developer. And although they did not determine if it was through malware or another method, it was learned that during those four days the cybercriminals pretended to be the developer and accessed different information within the development environment after successfully authenticating using the authentication in Two steps.
On the other hand, the integrity of the source code and the builds and found no evidence that they injected malicious code. This is because developers don’t have the ability to push code directly to production, and this is done by a separate team that goes through a rigorous process that involves code review, testing, and validation.
The LastPass attack is likely to raise more concern than other incidents because it is a password manager, and is used by more than 33 million people. Also, in 2015 the company suffered an incident that this time it did affect its key storage network.