LastPass says hackers broke into an employee PC to steal the company’s password vault

LastPass has posted an update on its investigation regarding a couple of security incidents that took place last year, and they’re sounding graver than previously thought. Apparently, the bad actors involved in those incidents also infiltrated a company DevOps engineer’s home computer by exploiting a third-party media software package. They implanted a keylogger into the software, which they then used to capture the engineer’s master password for an account with access to the LastPass corporate vault. After they got in, they exported the vault’s entries and shared folders that contained decryption keys needed to unlock cloud-based Amazon S3 buckets with customer vault backups.

This latest update in LastPass’ investigation gives us a clearer picture of how the two security breach incidents it went through last year were connected. If you’ll recall, LastPass revealed in August 2022 that an “unauthorized party” gained entry into its system. While the first incident ended on August 12th, the company said in its new announcement that the threat actors were “actively engaged in a new series of reconnaissance, enumeration, and exfiltration activities aligned to the cloud storage environment spanning from August 12th, 2022 to October 26th, 2022.”

When the company announced the second security breach in December, it said the bad actors used information obtained from the first incident to get into its cloud service. It also admitted that the hackers made off with a bunch of sensitive information, including its Amazon S3 buckets. To be able to access the data saved in those buckets, the hackers needed decryption keys saved in “highly restricted set of shared folders in a LastPass password manager vault.” That’s why the bad actors targeted one of the four DevOps engineers who had access to the keys needed to unlock the company’s cloud storage. 

In a support document (PDF) the company released (via BleepingComputer), it detailed the data accessed by the threat actors during the two incidents. Apparently, the cloud-based backups accessed during the second breach included “API secrets, third-party integration secrets, customer metadata and backups of all customer vault data.” The company insisted that all sensitive customer vault data aside from some exceptions “can only be decrypted with a unique encryption key derived from each user’s master password.” The company added that it doesn’t store users’ master passwords. LastPass also detailed the steps it has taken to strengthen its defenses going forward, including revising its threat detection and making “a multi-million-dollar allocation to enhance [its] investment in security across people, processes, and technology.”