More details have been shared regarding the password management solution Lastpass security incident last month. It discloses that the hacker has gained access to its systems for a four-day period in August 2022.

CEO Karim Toubba stated in an update shared on September 15, “there is no evidence that this incident involved any access to customer data or encrypted password vaults or any threat actor activity beyond the established timeline.”

In late August, LastPass revealed that a breach targeting its development environment resulted in the theft of some of its source code and technical information, although no further specifics were offered.

Working with incident and cybersecurity firm Mandiant, the company said it completed the probe into the hack and noted the access was achieved using a developer’s compromised endpoint. While the exact method of initial entry remains “inconclusive,” LastPass noted the adversary abused the persistent access to impersonate the developer after the victim had been authenticated using multi-factor authentication.

The company reiterated that despite the unauthorized access, the attacker failed to obtain any sensitive customer data owing to the system design and zero trust controls put in place to prevent such incidents. This includes the complete separation of development and production environments and its own inability to access customers’ password vaults without the master password set by the users. 

“Without the master password, it is not possible for anyone other than the owner of a vault to decrypt vault data,” Toubba pointed out.