LastPass has posted an update on its investigation into a couple of security incidents last year, and they’re worse than previously thought. Apparently, the bad actors involved in those incidents also infiltrated the home computer of a company’s DevOps engineer by exploiting a third-party media software package. They implanted a key logger into the software, which they then used to capture the engineer’s master password for an account that had access to the LastPass corporate vault. Once inside, they exported the vault entries and shared folders that contained the decryption keys needed to unlock Amazon S3 cloud-based buckets with customer vault backups.
This latest update in the LastPass investigation gives us a clearer picture of how the two security breach incidents that occurred last year were connected. If you recall, LastPass disclosed in August 2022 that an “unauthorized party” had penetrated its system. Although the first incident ended on August 12, the company said in its new announcement that the threat actors were “actively engaged in a new set of reconnaissance, enumeration and terror activities aligned with the cloud storage environment from August 12, 2022 to until October. 26, 2022.”
When the company announced the second security breach in December, it said the bad actors used information gained from the first incident to break into its cloud service. He also admitted that the hackers got away with a bunch of sensitive information, including his Amazon S3 buckets. To be able to access the data saved in those buckets, the hackers needed to save decryption keys in “a highly restricted set of shared folders in the LastPass password manager vault.” That’s why the bad actors targeted one of the four DevOps engineers who had access to the keys needed to unlock the company’s cloud storage.
In a supporting document (PDF) the company released (via Computer Bleeping), detailed the data obtained by the threat actors during both incidents. Apparently, there were “API secrets, third-party integration secrets, customer metadata and backups of all customer vault data.” The company insisted that all but a few exceptions, sensitive customer vault data “can only be decrypted with a unique encryption key derived from each user’s master password.” The company also said it does not store users’ master passwords. LastPass also detailed the steps it has taken to strengthen its defenses going forward, including reviewing its threat detection and “allocating a multi-million dollar investment to improve people, process and technology security “.
All products recommended by Engadget are selected by our editorial team, independent of our parent company. Some of our stories contain affiliate links. If you buy something through one of these links, we may earn an affiliate commission. All prices are correct at time of publication.