In brief: Password manager LastPass has revealed details of a breach last year that resulted in partially encrypted user login data being stolen. The company confirmed that the incident stemmed from a previous hack in August that enabled the hacker to steal credentials from a DevOps engineer's home computer and obtain a decrypted vault.
In December, LastPass said it had detected unusual activity within an AWS cloud storage service that the organization and GoTo, the company formerly known as LogMeIn that acquired LastPass in 2021, share. It was determined that the hacker was able to gain access to "certain elements" of customers' data. This was achieved using information acquired from the previous hack on LastPass in August.
We recently detected unusual activity within a third-party cloud storage service, which is currently shared by both LastPass and its affiliate GoTo. Customer passwords remain safely encrypted due to LastPass's Zero Knowledge architecture. More info: https://t.co/xk2vKa7icq pic.twitter.com/ynuGVwiZcK
--- LastPass (@LastPass) November 30, 2022
LastPass revealed more details of the second incident yesterday. It writes that although the initial breach ended on August 12, the hacker "was actively engaged in a new series of reconnaissance, enumeration, and exfiltration activity" from August 12 to August 26. The threat actor was able to steal credentials from a senior DevOps engineer during this period and access the company's shared cloud storage, which contained the encryption keys for customer vault backups stored in Amazon S3 buckets.
Part of the attack involved the home computer of the engineer, one of only four with access to the decryption keys, being infected with a keylogger. This was achieved by exploiting a remote code execution vulnerability in a third-party media software package. Ars Technica writes that the software in question was the streaming media service/media player Plex.
"The threat actor was able to capture the employee's master password as it was entered, after the employee authenticated with MFA, and gain access to the DevOps engineer's LastPass corporate vault," writes LastPass.
Aw crap, I'm pwned in a @plex data breach. Again. I can't do anything to *not* be in a breach like this (short of not using the service), but a @1Password generated random password and 2FA enabled makes this a mere inconvenience rather than a genuine risk. pic.twitter.com/XetB3IGUh3
--- Troy Hunt (@troyhunt) August 24, 2022
Back in August, just 12 days after the second LastPass incident began, Plex announced the discovery of suspicious activity in one of its databases and found that a third party had accessed a subset of data that included emails, usernames, and encrypted passwords. Whether this was linked to the LastPass breach is unclear.
LastPass has revealed a detailed list of everything accessed during the breaches. If you're a user, changing the master password and all passwords in your vault would be a wise move.