LastPass has posted an update in their investigation into a couple of security incidents that took place last year, and they sound more serious than previously thought. Apparently, the bad actors involved in those incidents as well. infiltrate the home computer of a company DevOps engineer by exploiting a third-party media software package. They implanted a keylogger into the software, which they then used to capture the engineer’s master password for an account with access to LastPass’ corporate vault. After breaking in, they exported the vault entries and shared folders containing the decryption keys needed to unlock cloud-based Amazon S3 buckets backed up by the customer’s vault.
This latest update in the LastPass investigation gives us a clearer picture of how the two security breach incidents it went through last year were connected. If you remember, LastPass revealed in August 2022 that an “unauthorized party” broke into their system. While the first incident ended on August 12, the company said in its new announcement that threat actors were “actively engaging in a new series of reconnaissance, enumeration, and exfiltration activities aligned with the cloud storage environment that are extends from August 12, 2022 to Oct. 26, 2022”.
When the company announced the second security breach in December, it said criminals used information obtained from the first incident to access its cloud service. He also admitted that the hackers made off with a lot of sensitive information, including his Amazon S3 buckets. In order to access the data stored in those buckets, the hackers needed decryption keys stored in a “highly restricted set of shared folders in a LastPass password manager vault.” That’s why the criminals targeted one of four DevOps engineers who had access to the keys needed to unlock the company’s cloud storage.
in a supporting document (PDF) the company released (via computer beep), detailed the data accessed by threat actors during the two incidents. Apparently, the cloud-based backups accessed during the second breach included “API secrets, third-party integration secrets, client metadata, and backups of all client vault data.” The company insisted that all sensitive data in the customer vault, with few exceptions, “can only be decrypted with a unique encryption key derived from each user’s master password.” The company added that it does not store users’ master passwords. LastPass also detailed steps it has taken to strengthen its defenses going forward, including reviewing its threat detection and making “a multi-million dollar allocation to improve [its] investment in safety between people, processes and technology”.
All Engadget Recommended products are curated by our editorial team, independent of our parent company. Some of our stories include affiliate links. If you purchase something through one of these links, we may earn an affiliate commission. All prices are correct at the time of publication.
