Attackers stole LastPass data by hacking into an employee’s personal computer

LastPass says a malicious actor was able to steal corporate and customer data by hacking into an employee’s personal computer and installing keylogger malware, which allowed him to access storage in the enterprise cloud. The update provides more insight into how the series of hacks happened last year that resulted in the popular password manager’s source code and client vault data being stolen by a unauthorized third party.

Last August, LastPass notified its users of a “security incident” in which an unauthorized third party used a compromised developer account to gain access to password manager source code and “certain proprietary technical information of LastPass “. The company then revealed a second security breach in November, announcing that hackers had accessed a third-party cloud storage service used by the password manager and were able to “access certain elements” of “customer information”. .

On December 22, LastPass revealed that hackers had used information from the first breach in August to gain access to its systems during the second incident in November and that the attacker was able to copy a backup of partially encrypted customer vault data. containing website URLs, usernames, and passwords. LastPass then advised its users to change all of their stored passwords as “an added security measure”, despite the fact that the passwords were still secured by the account’s master password.

Now, LastPass has revealed that the threat actor responsible for the two security breaches was “actively engaged in a new series of reconnaissance, enumeration, and exfiltration activities” between August 12 and October 26. Meanwhile, the attacker stole valid credentials from a senior DevOps engineer to access shared cloud storage containing encryption keys for client vault backups stored in Amazon S3 buckets. The use of these stolen credentials made it difficult to distinguish between legitimate and suspicious activity.

It is suspected that the hacker gained access to the private computer through the Plex multimedia software installed on the machine

Only four DevOps engineers had access to the decryption keys needed to access the cloud storage service. One of the engineers was targeted by exploiting a vulnerable (undisclosed) third-party multimedia software package on his personal computer and installing keylogger malware. Ars-Technica reports that the computer was likely hacked through media platform Plex, which also reported a data breach shortly after LastPass disclosed its first incident in August. Neither company has confirmed this to be the case. We’ve reached out to LastPass and Plex for clarification and will update this story if we receive a response.

After installing the keylogger, LastPass states that the threat actor “was able to capture the employee’s master password as it was entered, after the employee authenticated with ( multi-factor authentication), and access the DevOps Engineer’s LastPass Enterprise Vault”. The company has since taken additional steps to secure its platform, including revoking certificates and rotating known credentials of the threat actor and implementing additional logging and alerts on its cloud storage.

Along with the announcement, LastPass posted a full list of data compromised by the two security flaws on a dedicated support page. beeping computer reports that LastPass made efforts to conceal this information, noting however that HTML tags had been added to the document to prevent updates from being indexed by search engines. LastPass has also released a PDF with more details on last year’s incidents as well as two additional security bulletins – one for LastPass Free, Premium, and Families customers and another for Enterprise Administrators – with recommended actions. to secure your accounts.

Leave a Comment