After being affected by a cyber security breach, the password app LastPass, sought to bring peace of mind to its users. The company reported that the security system prevented the hacker from accessing customer data and encrypted passwords. This company is one of the password managers in the market. It aims to reduce the reuse of online passwords by storing them in a single application. In addition, it makes it easier for users to generate security keys if necessary.
Last August, the company determined that some of its source code came from unauthorized access. The same had occurred in the third-party storage service, through which the company had been using. Upon investigation, LastPass confirmed that the threat actor gained access to the company’s development environment. The system prevented access, the firm reported, to customer data or encrypted passwords.
LastPass and its theme tracking
The company and its dedicated security app confirmed that the attacker took parts of the source code. In addition to this, the invader also got hold of certain technical information, which was patented by the company. However, it believes that the risk to the application is very limited. LastPass made it clear that its production environment was physically separate from the development environment, with no direct connection.
The firm did not let the event pass unnoticed and conducted an analysis of its source code and production builds. The intent was to verify that there were no attempts to inject any malicious code. The company reported at the time that “developers do not have the ability to pass source code from the production development environment.”
Security as the key to these times
LastPass, in the statement provided at the time, stated:
“This capability is limited to a separate build release team that can only occur after completing rigorous code review, testing and validation processes.”
Karim Toubba, the company’s chief executive officer, informed his clients about what had happened. There he reported that information gathered from the previous attack was used to subsequently access “certain elements of our customers’ information”. The company did not specify what information was obtained by the hacker. However, it did state that passwords remained securely encrypted.
Additionally, it should be noted that LastPass does not have access to customer master passwords. This means that only the user has access to decrypt the passwords being stored. Toubba also made it clear that work is underway to “understand the scope of the incident and identify what specific information has been accessed.” The executive director stated that they are working on increased security measures and monitoring to detect new external threat activities.
