LastPass reveals attackers stole password vault data by hacking an employee’s home computer

The password manager’s latest update regarding two security breaches last year discloses how a threat actor accessed customer information.

LastPass says that a threat actor was able to steal corporate and customer data by hacking an employee’s personal computer and installing keylogger malware, which let them gain access to the company’s cloud storage. The update provides more information about how the series of hacks happened last year that resulted in the popular password manager’s source code and customer vault data being stolen by an unauthorized third party.

Last August, LastPass notified its users of a “security incident” in which an unauthorized third party used a compromised developer account to access the password manager’s source code and “some proprietary LastPass technical information.” The company later disclosed a second security breach in November, announcing that hackers had accessed a third-party cloud storage service used by the password manager and were able to “gain access to certain elements” of “customers’ information.”

On December 22nd, LastPass revealed that the hackers had used information from the first breach in August to access its systems during the second incident in November and that the attacker was able to copy a backup of partially encrypted customer vault data containing website URLs, usernames, and passwords. LastPass then advised its users to change all of their stored passwords as “an extra safety measure,” despite maintaining that the passwords were still secured by the account’s master password.

Now, LastPass has revealed the threat actor responsible for both security breaches was “actively engaged in a new series of reconnaissance, enumeration, and exfiltration activities” between August 12th and October 26th. During this time, the attacker stole valid credentials from a senior DevOps engineer to gain access to shared cloud storage containing the encryption keys for customer vault backups stored in Amazon S3 buckets. Using these stolen credentials made it difficult to distinguish between legitimate and suspicious activity.

Just four DevOps engineers had access to the decryption keys needed to access the cloud storage service. One of the engineers was targeted by exploiting an (undisclosed) vulnerable third-party media software package on their home computer and installing keylogger malware. Ars Technica reports that the computer was likely hacked through the Plex media platform, which similarly reported a data breach shortly after LastPass disclosed its first incident in August. Neither company has confirmed this to be the case. We have reached out to LastPass and Plex for clarification and will update this story should we hear back.

After installing the keylogger, LastPass says the threat actor “was able to capture the employee’s master password as it was entered, after the employee authenticated with [multifactor authentication], and gain access to the DevOps engineer’s LastPass corporate vault.” The company has since taken additional steps to secure its platform, including revoking certificates and rotating credentials known to the threat actor and implementing additional logging and alerting across its cloud storage.

Alongside the announcement, LastPass has published a complete list of the data that was compromised across both security breaches on a dedicated support page. BleepingComputer reports that LastPass has made efforts to conceal this information, however, noting that HTML tags had been added to the document to prevent the updates from being indexed by search engines. LastPass has additionally published a PDF containing further details regarding the incidents last year alongside two additional security bulletins — one for LastPass Free, Premium, and Families customers and another for business administrators — with recommended actions to secure your accounts.