Reassurance from CEO about the Breach at LastPass
Lastpass, the password manager application, had reported that it found a security breach back in August. The perpetrator had supposedly stayed in the network for only 4 days and had access only to the development environment and not to the customer data or the password vaults. The threat actor had gained access to the development environment through one of the developer’s endpoint by impersonating as the developer. LastPass has hired Mandiant to conduct the necessary forensics to identify the extent of the breach, methods to contain it and further steps to avoid such a mishap in the future.
Karim Toubba, LastPass’s CEO, went on to explain why the believe that the hacker did not have access to anything beyond the developer environment in his letter,
- The service's development environment is physically separated from the production network that houses customer's data and password vaults
- None of the customer data or password vault information are carried back in to the service's development environment
- LastPass does not have access to the Master Password, which can be used to decrypt the password vault (They can't lose something that they don't have in the first place)
Since the hacker had access to the development environment, it raises the question of whether any kind of code-poisoning or malicious code injection might have happened. Karim Toubba goes on to explain that the process of production release on a high level by assuring that the developers do not have access to make production updates and that the code undergo rigorous code review, testing and validation before it is moved into production.
LastPass appear to be following some of the best practices in information security to protect its users and their data, while instilling the confidence in all to trust in its product and services.