LastPass says that a threat actor was able to steal corporate and customer data by hacking an employee’s personal computer and installing keylogger malware, which let them gain access to the company’s cloud storage. The update provides more information about how the series of hacks happened last year that resulted in the popular password manager’s source code and customer vault data being stolen by an unauthorized third party.
Last August, LastPass notified its users of a “security incident” in which an unauthorized third party used a compromised developer account to access the password manager’s source code and “some proprietary LastPass technical information.” The company later disclosed a second security breach in November, announcing that hackers had accessed a third-party cloud storage service used by the password manager and were able to “gain access to certain elements” of “customers’ information.”
On December 22nd, LastPass revealed that the hackers had used information from the first breach in August to access its systems during the second incident in November and that the attacker was able to copy a backup of partially encrypted customer vault data containing website URLs, usernames, and passwords. LastPass then advised its users to change all of their stored passwords as “an extra safety measure,” despite maintaining that the passwords were still secured by the account’s master password.
Now, LastPass has revealed the threat actor responsible for both security breaches was “actively engaged in a new series of reconnaissance, enumeration, and exfiltration activities” between August 12th and October 26th. During this time, the attacker stole valid credentials from a senior DevOps engineer to gain access to shared cloud storage containing the encryption keys for customer vault backups stored in Amazon S3 buckets. Using these stolen credentials made it difficult to distinguish between legitimate and suspicious activity.
It’s suspected the hacker accessed the private computer via Plex media software installed on the machine
Just four DevOps engineers had access to the decryption keys needed to access the cloud storage service. One of the engineers was targeted by exploiting an (undisclosed) vulnerable third-party media software package on their home computer and installing keylogger malware. Ars Technica reports that the computer was likely hacked through the Plex media platform, which similarly reported a data breach shortly after LastPass disclosed its first incident in August.
Plex has provided a statement to The Verge addressing these claims. “We have not been contacted by LastPass so we cannot speak to the specifics of their incident. We take security issues very seriously, and frequently work with external parties who report issues big or small using our guidelines and bug bounty program,” said Scott Hancock, VP of Marketing at Plex. “When vulnerabilities are reported following responsible disclosure we address them swiftly and thoroughly, and we’ve never had a critical vulnerability published for which there wasn’t already a patched version released. And when we’ve had incidents of our own, we’ve always chosen to communicate them quickly.”
“We are not aware of any unpatched vulnerabilities, and as always, we invite people to disclose issues to us following the guidelines linked above,” added Hancock. “Given recent articles about the LastPass incident, although we are not aware of any unpatched vulnerabilities, we have reached out to LastPass to be sure.”
After installing the keylogger, LastPass says the threat actor “was able to capture the employee’s master password as it was entered, after the employee authenticated with [multifactor authentication], and gain access to the DevOps engineer’s LastPass corporate vault.” The company has since taken additional steps to secure its platform, including revoking certificates and rotating credentials known to the threat actor and implementing additional logging and alerting across its cloud storage.
Alongside the announcement, LastPass has published a complete list of the data that was compromised across both security breaches on a dedicated support page. BleepingComputer reports that LastPass has made efforts to conceal this information, however, noting that HTML tags had been added to the document to prevent the updates from being indexed by search engines. LastPass has additionally published a PDF containing further details regarding the incidents last year alongside two additional security bulletins — one for LastPass Free, Premium, and Families customers and another for business administrators — with recommended actions to secure your accounts.
Update, March 2nd, 2023, 4.00AM ET: Article updated with a statement from Plex.