August intrusion into LastPass development environment results in 2nd breach

Password management company says a threat actor used information from previous breach to access customer information.

When a threat actor manages to gain access to an organization’s software development environment, bad things can happen.

The latest to learn that lesson the hard way is password management vendor LastPass which in August 2022 experienced an incident where an intruder broke into its development environment and stole some of the company’s source code and other intellectual property.

Three months after the breach, the same attacker appears to have used data obtained from that intrusion to illegally access LastPass customer information stored with a third-party cloud storage service provider.  In a blog Wednesday, LastPass CEO Karim Toubba said his company was investigating the incident and trying to figure out what data exactly the attacker compromised.

“We have determined that an unauthorized party, using information obtained in the August 2022 incident, was able to gain access to certain elements of our customers’ information,” LastPass CEO Karim Toubba said in a blog. “We are working diligently to understand the scope of the incident and identify what specific information has been accessed.”

Toubba did not identify the third-party cloud storage provider but noted that LastPass affiliate GoTo is also using the same provider to store customer information.

Meanwhile, in a similar disclosure, GoTo CEO Paddy Srinivasan informed customers it was investigating a security incident involving a potential breach of its development environment—and also of customer data in a third-party cloud storage service it is currently sharing with LastPass. It’s not immediately clear if the intrusion into the development environment that GoTo reported has any connection to the August 2022 breach at LastPass.

The new breach at LastPass suggests the threat actors who broke into its development environment in August might have done more than steal some of the company’s source code and IP.

As the infamous intrusion at SolarWinds demonstrated, an attacker with access to an organization’s software development and build environment can do a lot more than steal data. In that intrusion, the hackers—believed linked to Russia’s foreign intelligence service SVR—managed to insert a backdoor dubbed “Sunburst” into a digitally signed update of SolarWinds’ Orion network management software. More than 18,000 organizations received the poisoned update, though the threat actor eventually targeted fewer than 100 of them for follow-up attacks.

Since SolarWinds, there have been several other similar intrusions including most notably one at Codecov where a threat actor got access to its customer’s data by placing a backdoor into Codecov. Security experts consider these kind of compromises as extremely hard to detect and having the potential to impact a large number of organizations.

It’s unclear what exactly the threat actor that broke into LastPass’ development environment in August might have done with their access. But, as the breach the company disclosed this week suggests, there was more information that the attacker appears to have accessed than originally thought.

The question that many would likely want to know now is whether the adversary managed to sneak any backdoors into LastPass’s software that the company doesn’t know about yet.