Following a data breach disclosure that has stretched on for months, LastPass says the same attacker hacked an employee's computer and stole a decrypted password vault.
The company reported a security incident in August 2022, saying an unauthorized party gained access to a third-party cloud-based storage service that LastPass uses to store archived backups. Some customer data was accessed, but LastPass said passwords remained safe due to its encrypted architecture.
Now, in a report on Tuesday, the company said that the same attacker had hacked an employee's home computer and stole a decrypted vault available to only a handful of company developers. The vault gave access to a shared cloud-storage environment containing encryption keys for customer vault backups stored in Amazon S3 buckets.
"This was accomplished by targeting the DevOps engineer's home computer and exploiting a vulnerable third-party media software package, which enabled remote code execution capability and allowed the threat actor to implant keylogger malware," LastPass wrote. "The threat actor was able to capture the employee's master password as it was entered, after the employee authenticated with MFA, and gain access to the DevOps engineer's LastPass corporate vault."
According to Monday's report, the first event's tactics, techniques, and processes were distinct from those utilized in the second incident. As a result, it wasn't first apparent to investigators that the two were connected.
The hacker exploited the first event's data to exfiltrate the data kept in the S3 buckets during the second incident. Amazon had noticed "anomalous behavior" when the attacker tried to use Cloud Identity and Access Management (IAM) roles to perform the unauthorized activity and notified LastPass.
In December, LastPass CEO Karim Toubba said the hacker copied data from backups that included customer account information and related metadata including company names, end-user names, billing addresses, email addresses, telephone numbers, and IP addresses.
The hacker also created a copy of customer vault data, though LastPass said it was "stored in a proprietary binary format." The company claims it would be highly unlikely that the hackers could decrypt the data, but warned users that they could be targeted by phishing or social engineering attacks.
Users should update their master password, which logs them into their vault, as well as their passwords for websites and other logins, as a precaution, even though LastPass claimed that customers' credentials were encrypted and safe. Additionally, people might switch to a different password manager, such as iCloud Keychain, Bitwarden, or 1Password.
LastPass asserted that it would take millions of years to decipher a user's master password, but a competitor believes that it will only take a fraction of that time and can be completed for just $100. In a blog post, 1Password's principle security architect, Jeffrey Goldberg wrote that LastPass wasn't doing enough to secure customer data.
"If you consider all possible 12-character passwords, there are something around 2^72 possibilities. It would take many millions of years to try them all. Indeed, it would take much longer," he writes. "But the people who crack human-created passwords don't do it that way. They set up their systems to try the most likely passwords first."
LastPass has already faced criticism for dubious security procedures. In December 2021, LastPass members reported multiple attempted logins using correct master passwords from various locations.
The company assured customers that attacks were a result of passwords leaked in third-party breaches. And in February 2021, a security researcher found seven trackers inside the LastPass Android app for app analytics.