LastPass has attributed a data breach in December to the same attacker that launched an earlier attack on its systems. The password management service said a DevOps engineer had been targeted in a sustained attack from 12 August to 26 October 2022.
The intruders used information stolen in the first breach, material from a third-party breach, and a vulnerability in third-party media software to launch a “coordinated” second assault. The initial attack had ended on 12 August.
The attackers gained access to proprietary technical information and source code from LastPass’s development environment through a single compromised employee account.
They later used the information to gain access to cloud-based storage and steal some customers’ information. The December disclosure revealed that a hacker had also obtained access to encrypted customer vault data, protected by 256-bit AES encryption, although the age of the backup was not revealed.
The attackers obtained the DevOps engineer’s passwords by breaching their personal computer and deploying a keylogger via a vulnerable third-party media software package, enabling remote code execution.
They then targeted the engineer’s LastPass corporate vault. The company has not identified the third-party software, although Plex, which was breached in August 2022, is thought to be the likely candidate.
LastPass has since implemented a series of security measures, including rotating critical and high privilege credentials and reissuing certificates obtained by the threat actor.
It has also put in place S3 hardening measures to facilitate logging and alerts. LastPass is urging users to change their master passwords and passwords stored in their vaults.
