The password management solution LastPass finally published a definite report to explain what happened last year when it informed its customers that its systems were breached and some sensitive data was stolen by unauthorized parties.
According to a lengthy blog post that included links to detailed reports about each incident, LastPass said that it has completed an “exhaustive research” to understand the origin and extent of the breach.
Hackers Targeted Key LastPass Employees to Breach its Systems
In the first of the two incidents, which occurred on 12 August 2022, the company noticed some access patterns from one of its software engineers that were inconsistent with the person’s regular activities.
The evidence found that the corporate laptop of this employee was compromised and this allowed the hacker to gain access to the application’s cloud-based development environment.
As a result, the hacker was able to steal trade secrets from the firm including its source code and access credentials to its internal systems. Even though no customer data was exposed or accessed during this breach, LastPass later learned that the information gathered during this incident permitted the bad actors to perform the attack that took place later and that ultimately exposed a chunk of the firm’s customer data.
Meanwhile, the second incident allegedly occurred between 12 August and 26 October last year, when the hacker leveraged the access credentials he obtained during the second attack and data siphoned from a Senior DevOps engineer employed by LastPass to share one of the firm’s cloud storages.
Only four DevOps had access to the firm’s critical cloud infrastructure. One of these employees was targeted and its home computer was successfully breached by exploiting a vulnerability in a third-party media software package. As a result, a keylogger was installed in the computer and that allowed the hacker to obtain the remaining security credential needed to breach the cloud storage.
This credential was the DevOps’s master password used to access his/her LastPass’s corporate password vault. The hacker exported the vaults within the engineer’s account and the decryption keys needed to access many critical programming environments operated by the firm including production backups and other cloud-storage resources.
With this data, the bad actor was able to penetrate several systems and databases, including some that contained unencrypted data from customers and many trade secrets from the firm.
LastPass clarified that, at this point, it had not performed some of the remedies outlined in the Incident #1 report, which included changing the company’s security credentials, certificates, and secrets that were obtained by the hacker in August.
URLs, Passwords, and Usernames Were Not Exposed
None of the encrypted data held within the vaults stolen by the hacker would be accessible unless they had access to the customer’s master password, LastPass reiterated. One way they could accomplish this is by using the contact information obtained from the breach – which was effectively exposed in many cases – to perform phishing campaigns that could seek to get this critical access credential.
Also read: Best Password Managers in 2023
If the master password is guessed, the hacker would immediately be able to decrypt the customer’s LastPass vault and obtain all of the URLs, usernames, passwords, and information held within the app’s secure notes.
“I acknowledge our customers’ frustration with our inability to communicate more immediately, more clearly, and more comprehensively throughout this event. I accept the criticism and take full responsibility. We have learned a great deal and are committed to communicating more effectively going forward. Today’s update is a demonstration of that commitment”, commented Karim Toubba, LastPass’s Chief Executive Officer.
In a separate Security Bulletin, LastPass provided guidance to customers in regards to the measures that they should take to protect themselves if they are being targeted by the bad actors who were behind this breach.
Other Related Articles: