LastPass says hackers broke into an employee PC to steal the company’s password vault | Engadget

LastPass has launched an replace on its investigation into a number of safety incidents that passed off final 12 months, and so they sound extra severe than beforehand thought. Apparently, the attackers concerned in these incidents additionally broke into the house laptop of the company’s DevOps engineer utilizing a third-party media package deal. They implanted a keylogger in the software program, which they then used to seize an engineer’s grasp password for an account with entry to the company’s LastPass vault. As soon as logged in, they exported storage information and shared folders that contained the decryption keys wanted to unlock the Amazon S3 cloud buckets containing clients’ storage backups.

This newest replace in the LastPass investigation offers us a clearer image of how the two safety breaches it skilled final 12 months are linked. If you happen to recall, in August 2022, LastPass found that an “unauthorized social gathering” had gained entry to its system. Though the first incident ended on August 12, the firm mentioned in a brand new assertion that menace actors “actively engaged in a brand new sequence of intelligence, enumeration and exfiltration coordinated with a cloud storage setting that spanned the interval from August 12, 2022 12 months to October”. 26, 2022.”
When the firm introduced the second safety breach in December, it mentioned the attackers used info obtained in the first incident to achieve entry to its cloud service. He additionally admitted that the hackers received away with a bunch of delicate info, together with its Amazon S3 buckets. To entry the knowledge saved in these segments, the hackers wanted decryption keys saved in a “strictly restricted set of shared folders in the LastPass password supervisor vault.” That is why the attackers focused certainly one of 4 DevOps engineers who had entry to the keys wanted to unlock the company’s cloud storage.

In a supporting doc (PDF) launched by the firm (through BleepingComputer), it particulars the knowledge accessed by the attackers throughout the two incidents. Apparently, the cloud backups accessed in the second breach included “API secrets and techniques, third-party integration secrets and techniques, buyer metadata, and backups of all buyer storage knowledge.” The corporate insisted that each one delicate buyer storage knowledge, with some exceptions, “can solely be decrypted utilizing a novel encryption key derived from every person’s grasp password.” The corporate added that it doesn’t retailer customers’ grasp passwords. LastPass additionally detailed the steps it has taken to strengthen its defenses going ahead, together with overhauling its menace detection system and allocating “multi-millions to enhance [its] investments in the security of individuals, processes and applied sciences”.