LastPass has released an update on its investigation into two security breaches that occurred last year, and they seem to be more serious than originally anticipated. The malicious actors in those events apparently also penetrated a business DevOps engineer’s private computer via a third-party media software programme. They inserted a keylogger into the programme, which they then used to steal the engineer’s master password for an account that had access to the LastPass corporate vault. They gained access and exported the vault’s entries and shared files, which held decryption keys required to open cloud-based Amazon S3 buckets containing customer vault backups.
This new update in LastPass’ research provides a better picture of how the two security breaches it experienced last year were linked. LastPass disclosed in August 2022 that a “unauthorised person” obtained access to their system. While the initial incident concluded on August 12th, the company stated in its new announcement that the threat actors were “actively engaged in a new series of reconnaissance, enumeration, and exfiltration activities aligned to the cloud storage environment spanning from August 12th, 2022 to October 26th, 2022.”
When the firm revealed the second security breach in December, it said that malicious actors exploited information gathered from the first incident to gain access to its cloud service. It also revealed that the hackers stole a large amount of sensitive data, including Amazon S3 buckets. The hackers required decryption keys stored in a “very limited set of shared files in a LastPass password management vault” to access the data contained in those buckets. That’s why the bad guys went for one of the company’s four DevOps engineers, who had access to the keys required to open the cloud storage.
The data acquired by the threat actors during the two instances was revealed in a support document (PDF) supplied by the firm (via BleepingComputer). The cloud-based backups apparently contained “API secrets, third-party integration secrets, customer metadata, and backups of all customer vault data” during the second incident. Except for a few exceptions, the business stated that all sensitive client vault data “can only be decrypted using a unique encryption key obtained from each user’s master password.” The corporation also said that it does not keep users’ master passwords on file. LastPass also revealed the actions it is taking to boost its defences in the future, including as upgrading its threat detection and making a “multi-million-dollar allocation to increase [its] investment in security across people, processes, and technology.”
