LastPass provided information on its own investigation into security breaches that occurred last year – the data was disappointing. The hackers who perpetrated the incidents penetrated the home computer of a DevOps engineer at the company using third-party media software.
The employee's computer was broken into by a keylogger, which was used to steal the master password for an account with access to the LastPass corporate storage. After infiltrating the vault, the hackers exported records and folders that contained the decryption keys needed to unlock Amazon S3 cloud storages with customer data backups.
LastPass reported that an "unauthorized party" had gained access to its system in August 2022. The company later said the attackers "actively participated in a new series of intelligence, counting, and filtering data related to the cloud storage environment from August 12, 2022 to October 26, 2022."
LastPass said that the attackers used information from the first incident to infiltrate its cloud service. This included Amazon S3 storage, which the hackers stole," and a "restricted set of shared folders in the LastPass password manager vault." That's why the attackers targeted one of the four DevOps engineers who had access to the keys necessary to unlock the company's cloud storage.
LastPass provided a list of vulnerabilities during both incidents in a leaked support document. The cloud backups accessed during the second incident included "API secrets, third-party integration secrets, client metadata, and backups of all client storage data."
LastPass states that all sensitive customer vault data, with a few exceptions, "can only be decrypted using a unique encryption key derived from each user's master password."
LastPass outlined various actions it has taken to improve its security in the future, including the overhaul of its threat detection system and the allocation of "multi-million dollar funds" to security needs.