LastPass says employee's home computer was hacked to steal a decrypted vault

midian182

midian182

Posts: 9,745   +121
Staff member
In brief: Password manager LastPass has revealed details of a breach last year that resulted in partially encrypted user login data being stolen. The company confirmed that the incident stemmed from a previous hack in August that enabled the hacker to steal credentials from a DevOps engineer's home computer and obtain a decrypted vault.

In December, LastPass said it had detected unusual activity within an AWS cloud storage service that the organization and GoTo, the company formerly known as LogMeIn that acquired LastPass in 2021, share. It was determined that the hacker was able to gain access to "certain elements" of customers' data. This was achieved using information acquired from the previous hack on LastPass in August.

LastPass revealed more details of the second incident yesterday. It writes that although the initial breach ended on August 12, the hacker "was actively engaged in a new series of reconnaissance, enumeration, and exfiltration activity" from August 12 to August 26. The threat actor was able to steal credentials from a senior DevOps engineer during this period and access the company's shared cloud storage, which contained the encryption keys for customer vault backups stored in Amazon S3 buckets.

Part of the attack involved the home computer of the engineer, one of only four with access to the decryption keys, being infected with a keylogger. This was achieved by exploiting a remote code execution vulnerability in a third-party media software package. Ars Technica writes that the software in question was the streaming media service/media player Plex.

"The threat actor was able to capture the employee's master password as it was entered, after the employee authenticated with MFA, and gain access to the DevOps engineer's LastPass corporate vault," writes LastPass.

Back in August, just 12 days after the second LastPass incident began, Plex announced the discovery of suspicious activity in one of its databases and found that a third party had accessed a subset of data that included emails, usernames, and encrypted passwords. Whether this was linked to the LastPass breach is unclear.

LastPass has revealed a detailed list of everything accessed during the breaches. If you're a user, changing the master password and all passwords in your vault would be a wise move.

Permalink to story.

https://www.techspot.com/news/97756-lastpass-employee-home-computer-hacked-steal-decrypted-vault.html

 
This is incredibly bad for anyone who has EVER used lastpass for ANYTHING

I would never use a password manager for anything

This is just the beginning

arstechnica.com

LastPass says employee’s home computer was hacked and corporate vault taken

Already smarting from a breach that stole customer vaults, LastPass has more bad news.
arstechnica.com arstechnica.com

www.bleepingcomputer.com

LastPass: DevOps engineer hacked to steal password vault data in 2022 breach

LastPass revealed more information on a "coordinated second attack," where a threat actor accessed and stole data from the Amazon AWS cloud storage servers for over two months.
www.bleepingcomputer.com www.bleepingcomputer.com

www.pcworld.com

The latest LastPass fail came from an employee's home PC

A key component of the 2022 hack was an employee's home computer that was running vulnerable third-party software.
www.pcworld.com www.pcworld.com

devclass.com

Securing the developer: LastPass breach highlights risks of DevOps itself • DEVCLASS

Updated LastPass has published more details about how its systems were compromised via an attack on a home […]
devclass.com devclass.com

www.zdnet.com

LastPass breach: Hackers put malware on engineer's home computer to steal their password

The fallout from the LastPass hack continues, with the company revealing attackers gained access by hacking a senior engineer's home computer.
www.zdnet.com www.zdnet.com

and now.......
For those who do not understand the dry humorless context.....
This one is for you >
nakedsecurity.sophos.com

Naked Security – Sophos News

nakedsecurity.sophos.com nakedsecurity.sophos.com


NEVER trust your security to complete strangers @ Lastpass / Microsoft / Apple / Google / etc / etc / etc
 
Last edited:
"Password manager LastPass has revealed details of a breach last year..."
A year later huh? Good lookin out! Looks like I dropped them at the right time. I know no passwords are safe, but with Lastpass the writing was on the wall. Good riddance.
 
Stay away from all password manager that hosted by someone else.
Get yourself a cheap Raspberry Pi and host Vaultwarden by yourself.
 
"I can't do anything to *not* be in a breach like this (short of not using the service)"

Oh you can do plenty. Notably, you DON'T work on home computers, filled with software from questionable sources and without any kind of update management.

Plex, really? LastPass was audited successfully for ISO 27001 right before this breach happened. Which most certainly does not allow for things like this.

Which speaks volumes about the usefulness of such audits as well.
 
MyIOnU said:
Stay away from all password manager that hosted by someone else.
Get yourself a cheap Raspberry Pi and host Vaultwarden by yourself.
Click to expand...
Right, because your own computer is unbreakable and more reliable than that of a 3rd party.... how exactly?

You guys are still forgetting that no customer credential was obtained. Only encrypted stuff was. Which would take billions of years to decrypt.

So while this incident is extremely lame, at the same time it's very reassuring. Call it "zero trust architecture" or whatever you want, it works.
 
  • Like
Reactions: SG736F6
  • Like
Reactions: SG736F6
Bullwinkle M said:
This is incredibly bad for anyone who has EVER used lastpass for ANYTHING

I would never use a password manager for anything

This is just the beginning

arstechnica.com

LastPass says employee’s home computer was hacked and corporate vault taken

Already smarting from a breach that stole customer vaults, LastPass has more bad news.
arstechnica.com arstechnica.com

www.bleepingcomputer.com

LastPass: DevOps engineer hacked to steal password vault data in 2022 breach

LastPass revealed more information on a "coordinated second attack," where a threat actor accessed and stole data from the Amazon AWS cloud storage servers for over two months.
www.bleepingcomputer.com www.bleepingcomputer.com

www.pcworld.com

The latest LastPass fail came from an employee's home PC

A key component of the 2022 hack was an employee's home computer that was running vulnerable third-party software.
www.pcworld.com www.pcworld.com

devclass.com

Securing the developer: LastPass breach highlights risks of DevOps itself • DEVCLASS

Updated LastPass has published more details about how its systems were compromised via an attack on a home […]
devclass.com devclass.com

www.zdnet.com

LastPass breach: Hackers put malware on engineer's home computer to steal their password

The fallout from the LastPass hack continues, with the company revealing attackers gained access by hacking a senior engineer's home computer.
www.zdnet.com www.zdnet.com

and now.......
For those who do not understand the dry humorless context.....
This one is for you >
nakedsecurity.sophos.com

Naked Security – Sophos News

nakedsecurity.sophos.com nakedsecurity.sophos.com


NEVER trust your security to complete strangers @ Lastpass / Microsoft / Apple / Google / etc / etc / etc
Click to expand...
Sooo you're gonna run your own infrastructure, develop your own password vault, heck, research your own encryption algos, or.... just use sticky notes on your monitor? Or the same password for every site? :)

I like the arrogance of people who actually believe they can do better and are unhackable if they do it themselves.

There's no such thing as unhackable. There's minimizing risk, and that's all. And LastPass did that kinda well, because no customer passwords have been stolen, only encrypted data.
 
  • Like
Reactions: SG736F6
bviktor said:
Sooo you're gonna run your own infrastructure, develop your own password vault, heck, research your own encryption algos, or.... just use sticky notes on your monitor? Or the same password for every site? :)

I like the arrogance of people who actually believe they can do better and are unhackable if they do it themselves.

There's no such thing as unhackable. There's minimizing risk, and that's all. And LastPass did that kinda well, because no customer passwords have been stolen, only encrypted data.
Click to expand...
Exactly!
Developing my own infrastructure, password vault and encryption algos were finished years ago

It's not arrogance when they already work without problems

Even my Windows XP boxes are immune to every form of malware online

I've been using them online now for 9 solid years without a single malware problem
(running in a full admin account)

Studying "MALWARE" - "ONLINE" - "FOR 9 YEARS" - "RUNNING WINDOWS XP" - "WITHOUT EVEN ONE SINGLE MALWARE PROBLEM" !

You try it!

Yes, I AM the best!
Now, is there anything else I can help you with today?
 
Last edited:
You must log in or register to reply here.

Similar threads

midian182
Beware: Fake LastPass app sneaks onto Apple's App Store
Replies
3
Views
249
m4a4
m4a4
Cal Jeffrey
Microsoft left a server containing employee credentials exposed to the internet for a month
Replies
3
Views
106
plambert2015
P
midian182
Scammers trick company employee using video call filled with deepfakes of execs, steal...
Replies
8
Views
249
WhoCaresAnymore
WhoCaresAnymore

Latest posts

Back