LastPass says Top Engineer’s home PC was hacked to steal data

Image for article titled Hacker installed a keylogger on a LastPass engineer's PC to manage the company's cloud

Photo: Maor_Winetrob (Shutterstock)

Besieged password manager LastPass has announced another serious security error, and this time it might be the last straw for some users.

For months, the company periodically provides updates on a villain data breach happened last August. At the time, LastPass revealed that a cybercriminal had managed to sneak into the company’s development environment and steal source code, but claims there was “no evidence” that any user data was compromised as a result. Then, in December, the company made a updaterevealing that, well, actually, yes, some user information had was compromised, but could not share what, exactly, was affected. Several weeks later he did reveal What was impacted: User vault data, which in extreme circumstances could lead to total account compromises. And now, finally, LastPass has again provided more details, revealing that the fallout from the breach was even worse than previously imagined. That’s probably enough to make some users run screaming for the hills.

According to a Press release Published on Monday, August’s first data breach allowed the cybercriminal in question to hack into the personal computer of one of LastPass’s most privileged employees – a senior DevOps engineer and one of four employees with access to the keys. decryption that could unlock the platform’s shared cloud environment. The hacker then equipped the engineer’s computer with a keylogger, which allowed him to steal his LastPass master password. Using the PW, the cybercriminal managed to break into the engineer’s password vault and, stealing the necessary decryption keys from the engineer’s account, penetrated into the shared cloud environment of LastPass, where he stole a whole series of important data.

The company admits that the hacker “exported the company’s native vault entries and the contents of the shared folders, which contained secure notes encrypted with the access and decryption keys needed to access AWS production backups. S3 LastPass, other cloud-based storage resources, and related critical database backups,”

In short: ouch, ouch, ouch.

Suffice it to say, this won’t make most of the platform’s customers very happy. The extent to which the cybercriminal was able to penetrate the company’s defenses is certainly disconcerting. In fact, security reporter Joseph Cox of Motherboard is recommend that people are avoiding LastPass altogether. In his article on the most recent revelations, Cox takes aim at the password manager for its security flaws, questionable PR tactics and lack of transparency:

LastPass, the popular password manager, is out of goodwill. Since the company first disclosed a breach in August, it has slowly provided consumers with drops of information, and the new details coming out increasingly paint a picture of a company it doesn’t. should not be trusted with your passwords.

Cox ends his article by noting that “it’s time for another password manager”. For more than a few users, they are undoubtedly on the same page.

Leave a Comment