LastPass has been in the news a lot lately, and not because it’s the internet’s number one password manager, as it still proudly proclaims. The company is still reeling from a series of hacks last year that resulted in a trove of user data being stolen. This week, LastPass released new details of the attacks, explaining that the attacker targeted a senior LastPass engineer to gain access to the sensitive internal information that made the data theft possible.
Problems started for LastPass in August 2022 when it notified users of a “security incident” involving proprietary company information. It said at the time that no user data was accessed, but in November, it announced a second attack that did target the passwords and other sensitive data people had stored on LastPass’ servers. The threat actor leveraged data stolen in the first phase of the attack in August, but how did they get that data in the first place? Well, it’s not pretty.
LastPass explains in the latest investigation update that the attackers targeted a senior engineer at the company; one of only four people with access to the LastPass corporate vault. The employee in question was working from home, and their employer did not enforce any access restrictions. The DevOps engineer was accessing sensitive company data using a personal computer, which also ran a “media software package.” Other sources claim the media software in question is Plex, which reported a data breach around the same time. Using an undocumented vulnerability in the media software, the attacker installed a keylogger and waited for the engineer to enter the master password and two-factor code.
(Credit: René Ramos; LastPass)
That operation gave the threat actor the keys to the kingdom; they obtained decryption keys for the company’s AWS-hosted backups, including critical databases and other resources. Because of the way LastPass had implemented access auditing, nothing seemed amiss at first. The company didn’t know about the second attack until Amazon alerted it to unusual activity on the account. The attacker made off with user vaults that are only partially encrypted. The password data is secure, but the vaults include plain text URLs, emails, and IP addresses. Worse still, the passwords are only protected by the user’s master password, which could be weak on older accounts.
In addition to the updated blog post, LastPass has published a rundown of all the data lost in the attacks. The company also provides a list of changes made to its security setup, but this is far from the first security issue for LastPass. It suffers a data breach of some sort almost every year, and it always says it has improved its security afterward. Perhaps LastPass, with millions of user passwords, is just too tempting a target. If you’ve got a LastPass account, it might be time to reevaluate.
Update 2/28/23 9 P.M. ET: A Plex representative says that the company has not been contacted by LastPass and is not aware of any unpatched vulnerabilities in its software. If someone at LastPass knows of one, though, Plex reminds us it does have a bug bounty program.
- LastPass Hit With Class Action Lawsuit Following Data Breach
- LastPass exploit allows remote code execution and password theft
- LastPass Owner GoTo Confirms It Was Also Hit By November 2022 Hack