LastPass said the threat actor that breached its systems in August accessed its development environment for four days, according to an updated blog post released Thursday by CEO Karim Toubba. LastPass completed an investigation and forensic review with incident response firm Mandiant.
LastPass said its security team detected the threat actor inside its systems during the four-day period and was able to contain the activity. The company found no further evidence of activity from the actor; nor was any customer data or encrypted password vault accessed.
The threat actor used a developer’s compromised endpoint to gain access to the LastPass development environment. While it remains unclear how the endpoint was compromised, the threat actor was able to impersonate the developer once the developer had successfully used multifactor authentication to confirm identity.
Late last month, the password manager used by about 33 million users disclosed a breach where a threat actor accessed its source code and took some technical information.
LastPass says its development environment is "physically separated" from its production environment, leaving no direct access. Developers cannot push source code from the development environment into the production side.
The company has found no code poisoning or injection of malicious code.
LastPass said it partnered with a leading cybersecurity firm to enhance its source code safety practices, which include secure software development lifecycle, bug bounty, threat modeling and vulnerability management.
The company also deployed additional security controls on its endpoints, additional threat intelligence capabilities and added enhanced detection and prevention in its development and production environments.