Last month, LastPass admitted that an unauthorized party was able to breach the system and had access to sensitive information for about four days. LastPass’ CEO said that the company worked closely with security experts from Mandiant and the investigation revealed that no user data has been compromised.
The attacker, however, was able to access LastPass’ password manager source code as well as technical information. The access was limited to the service’s development environment which has nothing to do with user data. Not to mention LastPass itself doesn’t have access to users’ master passwords, which in turn are needed to decrypt the data.
The investigation suggests that the attacker used a developer’s endpoint and impersonated the developer after authenticating successfully using multi-factor authentication.
