LastPass details its data breach in 2022

Recently, there was a serious data breach incident involving the well-known password management software, LastPass, which has made further progress in its investigation regarding the breach. It was disclosed that the attacker initially infected the personal computer of a LastPass DevOps engineer and then stole sensitive data from their Amazon AWS cloud storage server.

LastPass is trusted by individuals and enterprises for secure password storage and management due to its high level of security. However, last year, attackers exported sensitive basic customer account information from its cloud storage, such as company name, username, address, email address, phone number, and IP addresses of customers accessing LastPass services. According to a survey conducted by the network security product evaluation website Security.org among over a thousand Americans, LastPass, which was the most popular password management tool in 2021, slid to fourth place in 2022.

According to a recent announcement by LastPass, only four engineers have access to the decryption keys required to access the LastPass AWS cloud storage service.

The hackers carried out the attack by targeting the personal computers of these DevOps engineers and using vulnerable third-party media software packages. The software package enabled remote code execution, allowing the attackers to implant keylogger malware on the engineer’s device. After the engineer verified their identity through MFA, the attacker was able to capture the engineer’s master password input, thereby gaining access to the LastPass company’s vault of DevOps engineers.

The attacker then exported the contents of the data vault and shared folders, including encrypted security notes, AWS S3 LastPass production backups, other cloud-based storage resources, and access and decryption keys for some related critical database backups.

Since the attacker used valid credentials, it was difficult for LastPass to detect their intrusion and gave the attacker ample time to steal data from LastPass’s cloud storage servers. According to reports, the attacker had access to the system for over two months. In the end, when the attacker attempted to perform unauthorized tasks using identity and access management (IAM), LastPass detected abnormal behavior through AWS GuardDuty alerts.

LastPass stated that it has updated its security systems, taking measures such as rotating sensitive credentials and authentication keys, revoking certificates, adding additional alert logs, and implementing stricter security policies. Additionally, LastPass customers are advised to change their master password and all passwords stored in their password vault.