Additionally, Toubba maintains confidence in LastPass master password implementation, "LastPass does not have any access to the master passwords of our customers’ vaults – without the master password, it is not possible for anyone other than the owner of a vault to decrypt vault data as part of our Zero Knowledge security model." Threat actor activity did not span past the four-day window identified by LastPass and Mandiant. The method in which the threat actor compromised the developer's account remains undetermined, nevertheless "the threat actor utilized their persistent access to impersonate the developer once the developer had successfully authenticated using multi-factor authentication." System designs separating the production and development environments along with security practices to not house customer data within Development prevented the threat actor from moving laterally and compromising client data. Toubba asserts customer data and encrypted password vaults were not impacted. CEO Karim Toubba reported the findings on the company's blog stating the threat actor had compromised a developer's account with access to a development environment for four days. LastPass has completed its investigation with Mandiant into the company's security breach reported on August 25th, 2022. Attacker Had Access to LastPass for Four Days During August Breach Industry: Technology | Level: Strategic | Source: Lastpass - Blog
0 Comments
Leave a Reply. |