LastPass hacked - attackers accessed data vault

Breached an engineer's home PC and remained active till October

LastPass engineer's hacked computer enabled attackers to access data vault content

Image:
LastPass engineer's hacked computer enabled attackers to access data vault content

A DevOps engineer at password management firm LastPass had their home computer compromised and infected with keylogging malware during last year's cyberattack, leading to the exfiltration of corporate data.

In December LastPass revealed a significant data breach had occurred in August 2022, which enabled bad actors to access encrypted password vaults and steal customer information.

The initial breach concluded on 12th August 2022, but LastPass has now said the threat actor remained involved in a new series of reconnaissance and exfiltration activities from 12th August until 26th October.

During the second security incident, the threat actor utilised the information exfiltrated during the first incident - before the reset carried out by the LastPass teams - to enumerate and exfiltrate data from cloud storage resources.

Specifically, the attacker(s) was able to exploit valid credentials stolen from a senior DevOps engineer's personal home computer to access a shared cloud-storage environment.

They installed a keylogger on the engineer ' s device and ultimately extracted data from AWS cloud storage servers.

In its December disclosure, LastPass said the attacker had acquired a cloud storage access key and dual storage container decryption keys. This enabled them to copy customer vault backup data from the encrypted storage container. The company did not say where the attacker had obtained the key at the time, though.

The copied backup data comprised unencrypted data (website URLs), as well as website usernames and passwords, form-filled data and secure notes, which were protected by an extra layer of encryption.

According to LastPass ' latest update, the strategies, methods and procedures used in the first incident differed from those in the second one. That made it difficult for investigators to initially make a connection between the two incidents.

The company became aware of the second incident when Amazon warned it of abnormal activity, as the threat actor attempted to exploit cloud identity and access management roles for unauthorised actions.

The attacker exploited third-party media software to access the employee's home computer. LastPass did not say what the software was, but sources cited by ArsTechnica said the hackers leveraged a vulnerability in the Plex media platform.

Plex acknowledged a data breach 12 days after the LastPass attack. The attacker breached a database and stole password information, usernames and email addresses associated with some of the company's 30 million customers.

It is unclear whether the Plex breach is related to the LastPass attacks.

LastPass has implemented several measures to prevent potential future attacks.

For example, it is rotating critical and high privilege credentials; reissuing certificates the attacker obtained; and applying additional S3 hardening protocols to establish logging and alerting mechanisms.