LastPass has reported that a DevOps engineer's home computer was compromised to steal password vault data during the August 2022 data breach.
LastPass Lost Vault Data in the 2022 Breach
Password manager LastPass has revealed more information about its August 2022 data breach, stating that a DevOps engineer's home computer was hacked to steal password vault data.
On February 27, 2023, LastPass released a security advisory regarding the data breach suffered in August 2022. LastPass already informed readers that customer data vaults were accessed in the attack, with another attack taking place in November 2022 that was linked to the first. From the initial hit, $53,000 in Bitcoin was also allegedly stolen, from which a class-action lawsuit was filed.
In the LastPass security advisory, it was written that, during the August 2022 attack, the malicious operator was able to "leverage valid credentials stolen from a senior DevOps engineer to access a shared cloud-storage environment, which initially made it difficult for investigators to differentiate between threat actor activity and ongoing legitimate activity."
The DevOps engineer had access to decryption keys, which made them a prime target for the attacker. These keys allowed access to LastPass's cloud storage services, which contain LastPass customer data and encrypted vault data. Only four LastPass DevOps engineers had access to these keys, with just one being successfully targeted.
LastPass also stated that "the threat actor pivoted from the first incident, which ended on August 12, 2022, but was actively engaged in a new series of reconnaissance, enumeration, and exfiltration activities aligned to the cloud storage environment spanning from August 12, 2022, to October 26, 2022." It wasn't until AWS GuardDuty Alerts notified LastPass of unusual activity that the issue was highlighted.
A Software Package Was Exploited to Compromise the Targeted PC
In order to hack the DevOps engineer's home computer, the attacker exploited a vulnerable third-party software media package. Through this exploit, the attacker could enable and conduct remote code execution, which led to the installation of keylogger malware. This keylogger was then used to steal the employee's master password and access the LastPass corporate vault.
After accessing the vault, the malicious actor exported both the vault entries and shared folder content. Within the exported data were encrypted secure notes, as well as LastPass decryption keys. These keys were needed to "access the AWS S3 LastPass production backups, other cloud-based storage resources, and some related critical database backups."
LastPass Has Users Questioning Its Integrity
While some users appreciate LastPass's transparency regarding this incident, many are angered by the continued security issues suffered by the company. Dismayed users have taken to Twitter to vent their feelings about LastPass's security integrity. As seen below, one individual criticized LastPass's decision to grant certain employees access to a decrypted password vault.
LastPass's Reputation Seems Tainted Amid These Attacks
After running into numerous security issues in recent years, people are now questioning whether LastPass is a legitimate option for password storage. With some users already leaving LastPass behind, there's no knowing how this password manager will weather this storm.