Share this article on:
Password security company LastPass is having a very bad, no-good time when it comes to its ongoing security issues. We reported last month how a breach in August 2022 led to threat actors gaining access to internal data vaults and exfiltrating a large amount of user data, but things continue to get worse for the company.
LastPass only reported the scope of that breach in late December. But now the beleaguered company has admitted that the hacker behind that first incident was able to leverage data from that leak, along with data from another data breach alongside a media software vulnerability, to maintain what LastPass is calling a “second attack”.
“This attack targeted LastPass infrastructure, resources, and an employee in a campaign of overlapping activity,” LastPass said in a post detailing the attack. “The observed tactics, techniques, and procedures (TTPs), as well as the indicators of compromise (IOCs) of the second incident were not consistent with those of the first. While proximal in terms of timeline, it was not initially obvious that the two incidents were directly related.”
What made the second intrusion so difficult to detect was that the threat actor had managed to get the login credentials of “a senior DevOps engineer”.
“This was accomplished by targeting the DevOps engineer’s home computer and exploiting a vulnerable third-party media software package, which enabled remote code execution capability and allowed the threat actor to implant keylogger malware,” LastPass said.
With this level of access, the threat actor’s activity looked more or less legitimate — or at least legitimate enough to initially go undetected. At this time they were able to access a shared cloud storage environment with backups of customer data.
“The threat actor then exported the native corporate vault entries and content of shared folders, which contained encrypted secure notes with access and decryption keys needed to access the AWS S3 LastPass production backups, other cloud-based storage resources, and some related critical database backups,” LastPass said.
Since detecting the scope of the intrusion, LastPass has taken a number of measures to boost security and limit damage. The worker in question has had their home security improved, for one thing, and the company has rotated credentials and revoked and reissued the relevant certificates used by the hacker.
The originally extracted data included customer user names, company names, addresses, email addresses, telephone numbers, and user IP addresses.
David Hollingworth has been writing about technology for over 20 years, and has worked for a range of print and online titles in his career. He is enjoying getting to grips with cyber security, especially when it lets him talk about Lego.