The conclusions of the investigation are clear for the company: no customer data was stolen.
On August 25, Karim Toubba, CEO of LastPass, a password manager, informed the public of an intrusion into the development environment. He guaranteed at the time that cybercriminals had failed to steal user data. In a new publication, Karim Toubba details the conclusion of the investigation conducted with Mandiant, thus providing more details on this event.
Saved by a system Zeroknowledge
No backpedaling: user data has not been stolen. The company explains that a hacker did gain access to the LastPass development environment after compromising a developer’s device and obtaining their authentication codes.
Fortunately for users of the service, this password manager uses, as usual, a system called Zeroknowledge.
The development environment does not contain customer data or an encrypted vault; it is physically separated from the production environment and there is no direct link between them. Thus, LastPass does not have the master passwords of its customers’ vaults, and without this master password, it is practically impossible for a third party to decrypt a user’s vault data.
Still, the hacker could have taken advantage of his access to the development platform to inject malicious code. A full analysis of the source code revealed no such thing. In fact, the company explains that the ability to inject source code from the development environment to the production environment is limited to developers forming a small separate team. This process is also punctuated by numerous test/validation phases.
Finally, there is no evidence of any malicious activity beyond the established four-day period.
Additional controls
Karim Toubba reports that this incident nevertheless led his company to enter into a partnership with a “leading” cybersecurity company. It also discusses the establishment of new security controls and the strengthening of procedures.
The CEO concludes: “ We are aware that security incidents of any kind are destabilizing, but we want to assure you that your personal data and passwords are safe with us. “. In other words, the incident caused no casualties…
Source : LastPass
8