LastPass Details Security Breach, Hackers Accessed Encrypted Data

LastPass has released an update that discloses a security breach in which a threat actor gained access to corporate and customer data by infiltrating an employee's personal computer and deploying keylogger malware, enabling the perpetrator to infiltrate the company's cloud storage. This offers further insight into the sequence of hacks that transpired last year, culminating in the theft of LastPass's source code and customer vault data by an unauthorized third party.

In August of 2021, LastPass notified its users of a "security incident" wherein an unauthorized third party exploited a compromised developer account to access the password manager's source code and "some proprietary LastPass technical information." Subsequently, the company revealed a second security breach in November, disclosing that hackers had penetrated a third-party cloud storage service employed by the password manager, permitting the perpetrators to "access certain elements" of "customers' information."

LastPass disclosed on December 22nd that hackers had leveraged the information obtained during the August breach to breach the company's systems once again in November, resulting in the perpetrator copying a backup of partially encrypted customer vault data that contained website URLs, usernames, and passwords. In response, LastPass recommended that all stored passwords be changed as an additional precautionary measure, while emphasizing that the account's master password still secured the passwords.

In a recent update, LastPass unveiled that the threat actor accountable for both security breaches was actively engaged in a new sequence of reconnaissance, enumeration, and exfiltration activities from August 12th to October 26th. During this period, the perpetrator stole valid credentials from a senior DevOps engineer to infiltrate shared cloud storage that contained the encryption keys for customer vault backups stored in Amazon S3 buckets. 

By employing these purloined credentials, it became difficult to distinguish between legitimate and suspicious activity. It's important to note that LastPass has implemented measures to enhance its security protocols, such as adding multifactor authentication and modifying its DevOps procedures.

According to recent reports, just four DevOps engineers had access to the decryption keys required to enter the cloud storage service containing LastPass's customer data. One of these engineers was targeted by exploiting an undisclosed vulnerability in a third-party media software package on their home computer and installing keylogger malware, enabling the perpetrator to steal the credentials needed to access the company's cloud storage. Ars Technica suggests that the home computer was likely breached through the Plex media platform, which also experienced a data breach shortly after LastPass's initial breach in August.

In response to these claims, Plex has issued a statement to other publications, stating that the company has not been contacted by LastPass and cannot comment on the details of the incident. However, Plex reiterated its commitment to security, noting that it works closely with external parties who report security issues using its guidelines and bug bounty program. The company further stated that it addresses vulnerabilities swiftly and thoroughly and has never had a critical vulnerability published for which there wasn't already a patched version available. In cases where Plex has experienced security incidents, the company has opted to communicate them quickly to its users.

The hackers who gained unauthorized access to LastPass' systems in August and November last year reportedly targeted one of the company's DevOps engineers by exploiting a vulnerable third-party media software package on their home computer and installing keylogger malware. The engineer in question was one of only four individuals with access to the decryption keys required to enter the cloud storage service containing customer data. According to Ars Technica, the home computer was likely breached via the Plex media platform, which also experienced a data breach after LastPass' initial breach in August.

Plex has released a statement in response to these claims, stating that the company has not been contacted by LastPass and therefore cannot comment on the details of the incident. However, Plex emphasized its commitment to security, stating that it works closely with external parties who report security issues through its guidelines and bug bounty program. 

The company further stated that it addresses vulnerabilities quickly and thoroughly and has never had a critical vulnerability published for which there was not already a patched version available. Plex also noted that in cases where it has experienced security incidents, the company has opted to communicate them quickly to its users.

LastPass has released a list of all the compromised data related to both security breaches on a dedicated support page. In an effort to prevent the updates from being indexed by search engines, the company has added HTML tags to the document, according to BleepingComputer. LastPass has also released a PDF with more information about the incidents that occurred last year, along with two security bulletins for LastPass Free, Premium, and Families customers and business administrators. These bulletins suggest recommended actions that can be taken to secure user accounts.

Advertisement