Find out how the LastPass password manager has been impacted by another data breach and what steps they are taking to protect user data. Get the latest information here.
On Monday, LastPass, the company boasting over 30 million users and 85,000 business customers, confirmed that it had been attacked by the same threat actor who had previously breached its security and partially accessed encrypted login data.
LastPass, as we know it, is a prominent password management software. The company claims that one of its DevOps engineers’ PCs was hacked to exfiltrate corporate data from its cloud storage resources.
The unidentified attacker combined data stolen from the first breach in August 2022 with data from a third-party breach and a vulnerability in a third-party media software package for launching a coordinated attack.
LastPass Data Breach Spree
It is worth noting that LastPass has been on a data breach spree for some time now. In January 2023, GoTo-owned LastPass addressed a November 2022 data breach and announced that hackers had stolen customers’ encrypted data.
In late December 2022, LastPass announced that it had been breached again and that hackers had managed to steal user data and encrypted password vaults. In early December 2022, the password manager giant announced suffering yet another data breach, in which the company detected unusual activity on its cloud storage shared with GoTo.
In August 2022, LastPass announced yet another cyber attack, stating that hackers had managed to steal its source code; however, no customer data was stolen.
How did it Happen?
LastPass collaborated with Mandiant’s incident response team to conduct forensics and detected that the attacker targeted the DevOps engineer’s home computer, exploiting the vulnerable third-party media 3rd party media software package to obtain remote code execution capability and install a keylogger.
The attacker could steal the employee’s master password and authenticate it with MFA, after which they could access the victim’s LastPass corporate vault. It is worth noting that the victim was one of the four employees at LastPass who had access to the company’s corporate vault.
LastPass’s Official Statement
In its official statement, GoTo-owned LastPass explained the findings of its investigation, which read:
“The threat actor pivoted from the first incident, which ended on August 12, 2022, but was actively engaged in a new series of reconnaissance, enumeration, and exfiltration activities aligned to the cloud storage environment spanning from August 12, 2022, to October 26, 2022.”
The attacker possessed the decrypted vault, so they exported entries, including decryption keys. With these keys, the attacker accessed a shared cloud storage environment where the company had stored customer vault backups and encryption keys in Amazon S3 buckets.
According to LastPass, the decryption keys enabled the attacker to steal AWS S3 LastPass production backups, critical database backups, and cloud-based storage resources.