LastPass Data Stolen in August 2022 Breach Used For December Attack
LastPass has revealed that the threat actors who breached the company’s systems in December 2022 did so by leveraging information stolen via a previous attack in August.
In a blog post on Monday, the company said that while no customer data was stolen in the August 2022 incident, some source code and technical information were obtained from the LastPass development environment via a home computer belonging to a DevOps engineer.
From a technical standpoint, the information was obtained via a keylogger installed on the employee’s device by exploiting a remote code execution (RCE) vulnerability in a third-party media software package.
This information was then used to target another employee, the company said, with threat actors obtaining credentials and keys later used to access and decrypt certain storage volumes within the cloud-based storage service in the December attack.
“We have determined that once the cloud storage access key and dual storage container decryption keys were obtained, the threat actor copied information from backup that contained basic customer account information and related metadata,” the company wrote.
These include company names, end-user names, billing addresses, email addresses and telephone numbers, as well as the IP addresses used by customers to access the LastPass website.
“The threat actor was also able to copy a backup of customer vault data from the encrypted storage container, which is stored in a proprietary binary format that contains both unencrypted data, such as website URLs, as well as fully-encrypted sensitive fields, such as website usernames and passwords, secure notes, and form-filled data,” LastPass continued.
According to Martin Mackay, CRO at Versa Networks, the breach updates by LastPass are a stark reminder that remote working and BYOD (bring your own device) are increasingly blurring the lines between home and work networks.
“People assume that if a personal home computer has nothing of value on it, then it won’t be a target for cyber-criminals; however, this is simply not true,” Mackay told Infosecurity in an email.
“Threat actors will use any security gap or weakness to initially breach the network, and then move laterally across to their intended target – in this case; it was corporate data from cloud storages.”
More generally, Javvad Malik, lead security awareness advocate at KnowBe4, said the incident is a persistent textbook attack where threat actors increased their foothold in stages and without rushing.
“Many times we see statements from organizations which have suffered a breach downplaying the incident and stating that no financial data was stolen,” Malik told Infosecurity via email.
“But no incident should be considered small and should be thoroughly investigated to ensure that any stolen information cannot be used to launch further targeted attacks.”
More information about the LastPass breach is available in this analysis by Infosecurity deputy editor James Coker.