LastPass data was stolen by hacking an employee’s home computer

LastPass said a threat actor was able to steal company and customer data by hacking into an employee’s computer and installing malware and a keylogger, which gave them access to the company’s cloud storage. The update provides more information about the series of hacks that occurred last year that led to the theft of the password manager’s source code and customer data by unauthorized third parties.

Last August, LastPass notified its users of a “security vulnerability” in which an unauthorized third party used compromised developer accounts to gain access to the password manager’s source code and “other LastPass technical information is proprietary.” The company later disclosed a second security breach in November, announcing that hackers gained access to a third-party cloud storage service used by the password manager and were able to “get some objects” of “customer information.”

On December 22, LastPass revealed that hackers used data from the first breach in August to gain access to its systems during the second breach in November and that the attacker was able to copy encrypted data. Encrypted customer data that contains web URLs, usernames, and passwords. LastPass then advised its users to change all stored passwords as an “additional security measure,” although passwords were still stored by the account’s master password.

Now, LastPass has revealed the threat actor responsible for the two security breaches “engaged in a new series of espionage, encryption, and malicious activities” between August 12th and October 26th. During this time, the attacker stole valid credentials from a senior DevOps engineer to gain access to a shared cloud storage that contained encryption keys for customer backups stored in Amazon S3 buckets. Using these stolen data makes it difficult to distinguish between legitimate and suspicious activities.

Only four DevOps engineers have access to the encryption keys needed to access the cloud storage service. One of the engineers was targeted by using an (undisclosed) third-party software package on their home computer and installing keylogger malware. Ars Technica reports that the computer may have been hacked by the Plex news platform, which also reported the data breach shortly after LastPass first disclosed its incident in August. No other company has confirmed this. We’ve reached out to LastPass and Plex for more information and will update this article when we hear back.

After installing the keylogger, LastPass said the threat actor “was able to capture the user’s master password as entered, after the user verified it. [multifactor authentication]and access to the company’s DevOps engineers LastPass.” Since then the company has taken additional steps to secure its platform, including revoking certificates and converting certificates known to the threat actor and implementing additional logging and alerts in cloud storage.

Along with the announcement, LastPass published a complete list of compromised data in all security-related areas on its dedicated support page. Computer Bleeping reports that LastPass has tried to hide this information, however, note that HTML tags have been inserted into the document to prevent the update of the information by search engines. LastPass has also published a PDF containing more details about last year’s events along with two additional security articles – one for LastPass Free, Premium, and Family customers and another for business administrators – along with suggested actions to secure your account.