Password management software firm LastPass has shared details on a second breach stemming from the 2022 August hack where an unnamed threat actor gained access to portions of its development environment and stole source code and proprietary technical information using a compromised employee account.
“Our investigation has revealed that the threat actor pivoted from the first incident, which ended on August 12, 2022, but was actively engaged in a new series of reconnaissance, enumeration, and exfiltration activities aligned to the cloud storage environment spanning from August 12, 2022 to October 26, 2022,” the company explained in note published on its website. “The second incident saw the threat actor quickly make use of information exfiltrated during the first incident, prior to the reset completed by our teams, to enumerate and ultimately exfiltrate data from the cloud storage resources.”
LastPass said that the attacker used a remote execution flaw in a vulnerable third-party media software package to hack a home computer of one of its DevOps engineers with access to the decryption keys needed to access the cloud storage service. The attacker then installed a keylogger malware onto employee’s computer and captured the master password needed to gain access the DevOps engineer’s LastPass corporate vault.
The hacker then exported the native corporate vault entries and content of shared folders, which contained encrypted secure notes with access and decryption keys needed to access the AWS S3 LastPass production backups, other cloud-based storage resources, and some related critical database backups.
Following the incident, LastPass said it took steps to strengthen its security posture, including rotating critical and high privilege credentials and reissuing certificates obtained by the threat actor, and that it applied extra S3 hardening measures to put in place logging and alerting mechanisms.