LastPass said there's no evidence the threat actor stole any customer data or encrypted password vaults.
In partnership with cybersecurity company Mandiant, the password manager with over 25 million users completed the investigation of the breach, disclosed on August 25.
"Our investigation revealed that the threat actor's activity was limited to a four-day period in August 2022," Karim Toubba, CEO of LastPass, said. "We can also confirm that there is no evidence that this incident involved any access to customer data or encrypted password vaults."
The investigation confirmed that the threat actor gained access to the development environment via a compromised developer's account.
"While the method used for the initial endpoint compromise is inconclusive, the threat actor utilized their persistent access to impersonate the developer once the developer had successfully authenticated using multi-factor authentication," Toubba said.
He assured the threat actor did not access any customer data or encrypted password vaults. The development environment is physically separate and has no connectivity to the production environment, and it does not contain any customer data or encrypted vaults.
"LastPass does not have any access to the master passwords of our customers' vaults – without the master password, it is not possible for anyone other than the owner of a vault to decrypt vault data," Toubba said.
This is not the first scare for LastPass customers in recent history. Last December, a LastPass user submitted a post to Hacker News, stating that they received a security alert from LastPass about a blocked login attempt from Brazil. According to the user, the person who attempted the login was using their LastPass account's master password.
More from Cybernews:
Subscribe to our newsletter