LastPass Breach That Leaked Customer Password Vaults Came from Employee’s Home Computer

LastPass today revealed details of how hackers stole customers’ encrypted password vaults in a breach that it disclosed back in December, noting that the extensive attack involved breaking into an employee’s home computer (via BleepingComputer).

The overarching attack was “a campaign of overlapping activity,” as the company described it, and targeted LastPass infrastructure, resources, and an employee.

According to LastPass, the bad actors used information obtained from a previous hack back in August and even exploited a remote code execution vulnerability to plant a keylogger on the home computer of one of the only four DevOps engineers at the company with the credentials required to access the servers that store customer data.

“Despite high confidence in the outcomes of our investigation and actions taken in response to the first incident, the threat actor leveraged information stolen during the first incident, information available from a third-party data breach, and a vulnerability in a third-party media software package to launch a coordinated second attack,” said LastPass.

Using the previously stolen data and the keylogger, the hackers were able to obtain the AWS Access Keys and LastPass-generated decryption keys required to access Amazon AWS cloud storage servers that house backups of LastPass customer data and encrypted vaults.

“The threat actor was able to capture the employee’s master password as it was entered, after the employee authenticated with MFA, and gain access to the DevOps engineer’s LastPass corporate vault,” the company added.

“The threat actor then exported the native corporate vault entries and content of shared folders, which contained encrypted secure notes with access and decryption keys needed to access the AWS S3 LastPass production backups, other cloud-based storage resources, and some related critical database backups.”

LastPass’s investigation found that the hackers were able to access and steal data, including customers’ encrypted password vaults, from the company’s cloud storage servers for over two months, between August 12, 2022, and October 26, 2022.

The following customer data was affected by the incident, per a LastPass support page:

• Customer Account Secrets, API Keys, and Third-Party Integration Information
• LastPass Customer Database
• LastPass Customer Vault Data

In addition to customer data, the attackers also gained access to LastPass development and production environments and other internal resources.

Since discovering the massive security breach, LastPass has taken steps to sure up its defences, including rotating sensitive credentials and authentication keys/tokens, revoking certificates, adding additional logging and alerting, and enforcing stricter security policies.

LastPass has also published security bulletins that recommend actions that should be taken by Free, Premium, and Families customers and LastPass Business Administrators in response to the hack. Notably, you can’t navigate to any of the support bulletins shared by LastPass today through a search engine since the company has prevented each of the pages from being indexed.