LastPass Reveals Second Attack Resulting in Breach of Encrypted Password Vaults
LastPass,
which
in
December
2022
disclosed
a
severe
data
breach
that
allowed
threat
actors
to
access
encrypted
password
vaults,
said
it
happened
as
a
result
of
the
same
adversary
launching
a
second
attack
on
its
systems.
The
company
said
one
of
its
DevOps
engineers
had
their
personal
home
computer
breached
and
infected
with
a
keylogger
as
part
of
a
sustained
cyber
attack
that
exfiltrated
sensitive
data
from
its
Amazon
AWS
cloud
storage
servers.
“The
threat
actor
leveraged
information
stolen
during
the
first
incident,
information
available
from
a
third-party
data
breach,
and
a
vulnerability
in
a
third-party
media
software
package
to
launch
a
coordinated
second
attack,”
the
password
management
service
said.
This
intrusion
targeted
the
company’s
infrastructure,
resources,
and
one
of
its
employees
from
August
12,
2022
to
October
26,
2022.
The
original
incident,
on
the
other
hand,
ended
on
August
12,
2022.
The
August
breach
saw
the
intruders
accessing
source
code
and
proprietary
technical
information
from
its
development
environment
by
means
of
a
single
compromised
employee
account.
In
December
2022,
LastPass
revealed
that
the
threat
actor
leveraged
the
stolen
information
to
access
a
cloud-based
storage
environment
and
get
hold
of
“certain
elements
of
our
customers’
information.”
Later
in
the
same
month,
the
unknown
attacker
was
disclosed
as
having
obtained
access
to
a
backup
of
customer
vault
data
that
it
said
was
protected
using
256-bit
AES
encryption.
It
did
not
divulge
how
recent
the
backup
was.
GoTo,
the
parent
company
of
LastPass,
also
fessed
up
to
a
breach
last
month
stemming
from
unauthorized
access
to
the
third-party
cloud
storage
service.
Now
according
to
the
company,
the
threat
actor
engaged
in
a
new
series
of
“reconnaissance,
enumeration,
and
exfiltration
activities”
aimed
at
its
cloud
storage
service
between
August
and
October
2022.
“Specifically,
the
threat
actor
was
able
to
leverage
valid
credentials
stolen
from
a
senior
DevOps
engineer
to
access
a
shared
cloud
storage
environment,”
LastPass
said,
adding
the
engineer
“had
access
to
the
decryption
keys
needed
to
access
the
cloud
storage
service.”
This
allowed
the
malicious
actor
to
obtain
access
to
the
AWS
S3
buckets
that
housed
backups
of
LastPass
customer
and
encrypted
vault
data,
it
further
noted.
The
employee’s
passwords
are
said
to
have
been
siphoned
by
targeting
the
individual’s
home
computer
and
leveraging
a
“vulnerable
third-party
media
software
package”
to
achieve
remote
code
execution
and
plant
a
keylogger
software.
“The
threat
actor
was
able
to
capture
the
employee’s
master
password
as
it
was
entered,
after
the
employee
authenticated
with
MFA,
and
gain
access
to
the
DevOps
engineer’s
LastPass
corporate
vault,”
LastPass
said.
LastPass
did
not
reveal
the
name
of
the
third-party
media
software
used,
but
indications
are
that
it
could
be
Plex
based
on
the
fact
that
it
suffered
a
breach
of
its
own
in
late
August
2022.
Following
the
incident,
LastPass
further
said
it
upgraded
its
security
posture
by
rotating
critical
and
high
privilege
credentials
and
reissuing
certificates
obtained
by
the
threat
actor,
and
that
it
applied
extra
S3
hardening
measures
to
put
in
place
logging
and
alerting
mechanisms.
LastPass
users
are
highly
recommended
to
change
their
master
passwords
and
all
the
passwords
stored
in
their
vaults
to
mitigate
potential
risks,
if
not
done
already.
About Author
