In December 2022, LastPass disclosed a significant data breach that permitted cybercriminals to access encrypted password vaults. This breach resulted from a coordinated second attack, leveraging vulnerabilities that emerged from an earlier incident. According to the company, a DevOps engineer’s personal computer was compromised through a keylogger, enabling unauthorized access to sensitive data stored in its Amazon AWS cloud infrastructure.
LastPass clarified that the threat actor capitalized on data acquired during the initial breach, combined with details from a third-party incident, and exploited a weakness in a third-party media software package to orchestrate a second breach. This multi-staged attack took place from August 12 to October 26, 2022, while the original breach concluded on August 12, 2022.
The August breach allowed attackers to infiltrate LastPass’s development environment, exfiltrating proprietary source code and technical information via a compromised employee account. The subsequent incident involved more targeted attacks on the company’s infrastructure, with valid credentials stolen from the DevOps engineer to facilitate malicious activity in its shared cloud storage environment.
In a follow-up report, LastPass stated that the threat actor utilized the valid credentials to access a cloud-based storage environment, where crucial customer data was housed. This access was made possible due to the engineer’s authority over decryption keys for the cloud storage service. Such credentials provided the attackers an opening to access Amazon S3 buckets, which contained backups of customer data and encrypted vault information.
The breach underscores the effectiveness of using social engineering and exploiting previously stolen credentials, as the intruder targeted the engineer’s home computer, employing a known vulnerability in a third-party media software to execute remote code and plant a keylogger. This allowed the attacker to capture the employee’s master password during a legitimate authentication process.
While LastPass has not disclosed the specific third-party media software involved, speculation suggests it could be associated with Plex, which suffered its own data breach around the same time. In response to the attack, LastPass reported that it has strengthened its security protocols, including the rotation of critical credentials and the implementation of enhanced logging and alerting mechanisms to better monitor its systems.
Given these developments, LastPass is advising its users to immediately change their master passwords and any stored passwords to minimize potential risks. This incident serves as a stark reminder of the vulnerabilities that can arise from a combination of social engineering and the exploitation of third-party software weaknesses.
Update
In response to the ongoing discussions regarding the incident, Plex provided a statement affirming their commitment to security and transparency. They clarified that they had not been contacted by LastPass to discuss the incident specifics but emphasize their proactive efforts to maintain the integrity of their services through regular communication and prompt remediation of vulnerabilities.
