Last month, LastPass admitted that an unauthorized party was able to break into the system and had access to sensitive information for about four days. LastPass’s CEO said the company worked closely with Mandiant’s security experts and the investigation revealed that no user data was compromised.
The attacker, however, was able to access the LastPass password manager source code and technical information. Access was limited to the service development environment which has nothing to do with user data. Not to mention LastPass itself does not have access to users’ master passwords, which in turn are required to decrypt the data.
The investigation suggests that the attacker used a developer’s endpoint and impersonated the developer after successfully authenticating using multi-factor authentication.
Start a new Thread