Following last August’s data breach of security company LastPass, it appears that the same attacker returned to hack an employee’s computer and steal a decrypted password vault.
The company reported a security incident in August 2022, saying an unauthorized party gained access to a third-party cloud-based storage service that LastPass uses to store archived backups. Some customer data was accessed, but LastPass said passwords remained safe due to its encrypted architecture.
In a report released on Monday, LastPass stated that the same attacked had hacked an employee’s home computer and stole a decrypted vault available to only a handful of company developers. The vault offered access to a shared cloud-storage environment containing encryption keys for customer vault backups stored in Amazon S3 buckets.
“This was accomplished by targeting the DevOps engineer’s home computer and exploiting a vulnerable third-party media software package, which enabled remote code execution capability and allowed the threat actor to implant keylogger malware,” LastPass wrote. “The threat actor was able to capture the employee’s master password as it was entered, after the employee authenticated with MFA, and gain access to the DevOps engineer’s LastPass corporate vault.”
The report noted that the first event’s tactics, techniques, and processes were distinct from those used in the second attack. As a result, investigators took additional time to see that the two incidents were connected.
The attacked appears to have exploited the first event’s data to exfiltrate the data kept in the S3 buckets during the second incident. Amazon had noticed “anomalous behavior” when the attacker tried to use Cloud Identity and Access Management (IAM) roles to perform the unauthorized activity and notified LastPass.
Last December, LastPass CEO Karim Toubba stated that the hacker had copied data from backups that included customer account information and related metadata including company names, end-user names, billing addresses, email addresses, telephone numbers, and IP addresses.
The hacker also apparently kept a copy of customer vault data, although the company stated that it was “”stored in a proprietary binary format.” LastPass has claimed that it would be highly unlikely that the hackers could decrypt the data, but warned users that they could be targeted by phishing or social engineering attacks.
The company has advised users to update their master password, which logs them into their vault, where passwords for websites and other logins are stored, as a precaution. The company has also claimed that customers’ credentials were encrypted and safe.
LastPass has asserted that it would take millions of years to decipher a user’s master password, but a competitor believes that it will only take a fraction of that time and can be completed for just $100. In a blog post, 1Password’s principle security architect, Jeffrey Goldberg wrote that LastPass wasn’t doing enough to secure customer data:
“If you consider all possible 12-character passwords, there are something around 2^72 possibilities. It would take many millions of years to try them all. Indeed, it would take much longer,” he writes. “But the people who crack human-created passwords don’t do it that way. They set up their systems to try the most likely passwords first.”
LastPass has already faced criticism as to dubious security procedures. In December 2021, users reported multiple attempted logins using correct master passwords from various locations. LastPass assured customers that attacks were a result of passwords leaked in third-party breaches. And in February 2021, a security researcher found seven trackers inside the LastPass Android app for app analytics.
Stay tuned for additional details as they become available.
Via AppleInsider and support.lastpass.com