Affiliate Disclosure
If you buy through our links, we may get a commission. Read our ethics policy.

The LastPass hack saga just keeps getting worse

Following a data breach disclosure that has stretched on for months, LastPass says the same attacker hacked an employee's computer and stole a decrypted password vault.

The company reported a security incident in August 2022, saying an unauthorized party gained access to a third-party cloud-based storage service that LastPass uses to store archived backups. Some customer data was accessed, but LastPass said passwords remained safe due to its encrypted architecture.

Now, in a report on Tuesday, the company said that the same attacker had hacked an employee's home computer and stole a decrypted vault available to only a handful of company developers. The vault gave access to a shared cloud-storage environment containing encryption keys for customer vault backups stored in Amazon S3 buckets.

"This was accomplished by targeting the DevOps engineer's home computer and exploiting a vulnerable third-party media software package, which enabled remote code execution capability and allowed the threat actor to implant keylogger malware," LastPass wrote. "The threat actor was able to capture the employee's master password as it was entered, after the employee authenticated with MFA, and gain access to the DevOps engineer's LastPass corporate vault."

According to Monday's report, the first event's tactics, techniques, and processes were distinct from those utilized in the second incident. As a result, it wasn't first apparent to investigators that the two were connected.

The hacker exploited the first event's data to exfiltrate the data kept in the S3 buckets during the second incident. Amazon had noticed "anomalous behavior" when the attacker tried to use Cloud Identity and Access Management (IAM) roles to perform the unauthorized activity and notified LastPass.

In December, LastPass CEO Karim Toubba said the hacker copied data from backups that included customer account information and related metadata including company names, end-user names, billing addresses, email addresses, telephone numbers, and IP addresses.

The hacker also created a copy of customer vault data, though LastPass said it was "stored in a proprietary binary format." The company claims it would be highly unlikely that the hackers could decrypt the data, but warned users that they could be targeted by phishing or social engineering attacks.

Users should update their master password, which logs them into their vault, as well as their passwords for websites and other logins, as a precaution, even though LastPass claimed that customers' credentials were encrypted and safe. Additionally, people might switch to a different password manager, such as iCloud Keychain, Bitwarden, or 1Password.

LastPass security

LastPass asserted that it would take millions of years to decipher a user's master password, but a competitor believes that it will only take a fraction of that time and can be completed for just $100. In a blog post, 1Password's principle security architect, Jeffrey Goldberg wrote that LastPass wasn't doing enough to secure customer data.

"If you consider all possible 12-character passwords, there are something around 2^72 possibilities. It would take many millions of years to try them all. Indeed, it would take much longer," he writes. "But the people who crack human-created passwords don't do it that way. They set up their systems to try the most likely passwords first."

LastPass has already faced criticism for dubious security procedures. In December 2021, LastPass members reported multiple attempted logins using correct master passwords from various locations.

The company assured customers that attacks were a result of passwords leaked in third-party breaches. And in February 2021, a security researcher found seven trackers inside the LastPass Android app for app analytics.



16 Comments

welshdog 22 Years · 1898 comments

I'm not familiar with the details of IT security, programming, etc., but come on!. If you are tasked with keeping thousands of people's personal data safe, you don't let employees take anything outside the secure facilities. Doesn't matter who they are, how good they are or their position in the company - nothing ever leaves the building. Also, using third parties for any part of data storage is also irresponsible IMO. You can never know for sure a vendor is doing what they are supposed to or in what way they are going to screw up. Keep it all in house, locked down and triple secured in every way you can. This is an old doc, but you can get a good idea of how seriously Apple takes security even to the point of destroying the access cards for their hardware security modules used for iCloud: https://www.networkworld.com/article/2174973/apple-reveals-unprecedented-details-in-ios-security.html
Last Pass is lazy, stupid or greedy - or all three.

lordjohnwhorfin 18 Years · 871 comments

JP234 said:
"This was accomplished by targeting the DevOps engineer's home computer and exploiting a vulnerable third-party media software package, which enabled remote code execution capability and allowed the threat actor to implant keylogger malware," LastPass wrote. "The threat actor was able to capture the employee's master password as it was entered, after the employee authenticated with MFA, and gain access to the DevOps engineer's LastPass corporate vault."

So a LastPass DevOps engineer let a third party malware package onto his personal computer. That right there tells you the whole story. The solution is to FIRE the engineer and escort him out the door. He's one or both of two things: incompetent or a mole. If the second, prosecute him as well. Then pay more attention to who has access to your IP.

I don't see how that's going to help the victims. But boy am I glad I never used their services.

stevenoz 16 Years · 317 comments

"Don't put your passwords on another man's computer."

Etch that into your brain...

Print them out from time to time... and backup your passwords doc on your computer every few weeks, my advice.

welshdog 22 Years · 1898 comments

stevenoz said:
"Don't put your passwords on another man's computer."

Etch that into your brain...

Print them out from time to time... and backup your passwords doc on your computer every few weeks, my advice.

I use Enpass which allows me to keep all data on my computer - no cloud connection and WiFi sync to my other devices. I block it's outgoing connections via Little Snitch. I keep a backup in a safe deposit box. I certainly hope Apple and others keep pushing for their passwordless secutity methods going forward. Assuming such schemes will actually maintain security.

chasm 10 Years · 3624 comments

Passkeys will make passwords a thing of the past, and it can’t get rolled out to every website too soon.