The password manager company LastPass has recently provided an update on the recent incident report from last December.
In an email to customers on Wednesday, LastPass announced that it finished an exhaustive investigation and didn’t see any threat actor activity since Oct. 26. The company has posted an update on its blog with new findings and important information.
LastPass revealed that the two incidents were not caused by any LastPass product defect or unauthorized access to production systems. Instead, the threat actor exploited a vulnerability in third-party software.
In the first incident, the hacker gained access to a cloud-based development environment and stole source code, technical information, and certain LastPass internal system secrets.
In the second incident, the threat actor targeted a senior DevOps engineer and used malware to gain access to cloud backups. The data accessed included system configuration data, API secrets, third-party integration secrets, and encrypted and unencrypted LastPass customer data.
LastPass has taken several actions to secure its systems, including removing the development environment and rebuilding a new one, deploying additional security technologies and controls, analyzing cloud-based storage resources and applying additional policies and controls, analyzing and changing existing privileged access controls, and rotating relevant secrets and certificates that were accessed by the threat actor.
To protect its accounts, the company has prepared a Security Bulletin specifically for subscribers to its Free, Premium, and Families plans to help guide them through a review of their accounts’ safety.
LastPass is also recommending that users enable multi-factor authentication, review their account activity for any suspicious activity, and change their master password.
In the email to customers, LastPass said it’s committed to doing right by its customers and communicating more effectively going forward and are taking steps to ensure that all of its customers have the information they need to protect their accounts.