LastPass has disclosed information about a second data breach carried out by a threat actor, who first breached the security company back in August.
The popular password manager revealed in a security advisory that the hacker “leveraged information stolen during the first incident, information available from a third-party data breach, and a vulnerability in a third-party media software package to launch a coordinated second attack.”
The threat actor is said to have targeted one of LastPass’ DevOps engineers who had access to the decryption keys needed to decode the data stolen during the first incident. The attacker infiltrated the employee’s home computer and exploited “a vulnerable third-party media software package, which enabled remote code execution capability and allowed the threat actor to implant keylogger malware.”
The keylogger enabled the threat actor to obtain the engineer’s master password and gain access to their LastPass corporate vault.
“The threat actor then exported the native corporate vault entries and content of shared folders, which contained encrypted secure notes with access and decryption keys needed to access the AWS S3 LastPass production backups, other cloud-based storage resources, and some related critical database backups,” the advisory reads.
LastPass stated that because the hacker utilized the DevOps engineer’s credentials, it was “difficult for investigators to differentiate between threat actor activity and ongoing legitimate activity.” Fortunately, AWS GuardDuty Alerts detected an anomalous behavior when the attacker “attempted to use Cloud Identity and Access Management (IAM) roles to perform unauthorized activity.”
A large amount of customer information was stolen in both the first and second security incidents. The security company has since executed various strategies and released support documents to curb the situation and help secure its users.