LastPass has revealed more information on a data breach where threat actors could access and extract data from their Amazon AWS cloud storage servers for over two months. The company has provided more details about the attack vector, stating that threat actors used information stolen from an August 2022 and older breach as well as a remote code execution vulnerability to install a keylogger on a senior DevOps engineer’s home computer.
The remote code execution vulnerability was in a third-party media software package on the targeted engineer’s computer, who was also one of the four DevOps engineers with access to decryption keys. According to their security advisory, the attackers could extract the engineer’s master password from the MFA code to access the engineer’s LastPass corporate vault.
This disclosure follows a data breach in December 2022 where the company claimed that threat actors store partially encrypted password vault data. Following this “second coordinated attack”, threat actors now have gained access to the company’s encrypted Amazon S3 buckets.
Overall, a significant amount of customer data has been stolen from LastPass, including customer account secrets, API keys, third-party integration information, DevOps secrets, a backup of LasPass’ MFA/Federation database as well as a backup of the company’s customer database and five of the Binary Large Objects (BLOBs) database shards as detailed on this support page.
Additionally, the use of valid credentials made it difficult for LastPass investigators to differentiate between malicious and ongoing legitimate activity. This meant the hackers were inside the company’s cloud storage server for nearly two months, between August 12, 2022, to October 26, 2022.
Thanks to AWS GuardDuty Alerts, they were finally caught when the intruders tried to use the Cloud Identity and Access Management roles to take unauthorised action. Since then, LastPass claims to have updated its security procedures. This includes revoking certifications, adding extra logging and alerting processes, rotating sensitive credentials and authentication keys and enforcing stricter security policies.