The previously reported theft of LastPass customer password vaults has been traced back to a DevOps engineer at the company that had special access to backups, with the hackers reportedly exploiting a vulnerability in their home computer to obtain their credentials. The engineer was one of only four at the company able to access the cloud storage environment containing these backups.
LastPass says that the threat actor behind all this had been making repeated incursions into company systems since at least August 2022, finding an assortment of creative ways to steal credentials and increase privileges. The password vaults remain protected by user’s own passwords, which were not compromised, but are now vulnerable to brute force cracking efforts.
Use of home device leads to devastating theft of customer password vaults
LastPass has advised customers to change their master passwords, but this will not protect password vaults that have already been exfiltrated from the environment. Those now rely on the strength of the encryption, the complexity of the customer’s password and the individual level of interest from hackers. Customers known to be in possession of crypto or other financial assets are at the greatest risk.
In addition to the password vaults, the attackers took a range of unspecified internal company information; not all of these thefts were a direct result of the credentials stolen from the DevOps engineer as the hackers apparently obtained additional login information. The identity of the attacker remains a mystery as the stolen information has yet to surface on the dark web.
Media player on DevOps engineer’s system compromised
The story on the password vaults has now changed several times since LastPass first disclosed the incident months ago. At first it indicated nothing was taken that customers need to worry about and that the incident was confined to the development environment. Later it came out that customer data was stolen, and we now know that the breach window was longer than previously thought and that a select group of DevOps engineers with high-level access was involved.
It is true that the development environment was compromised, but it happened to contain a folder with keys that opened a cloud server containing customer backups. The DevOps engineers reportedly make use of this in routine administrative duties, though the company did not expand on if it is policy for this environment to be accessed from home devices.
LastPass also did not get into details about the compromise of the personal device other than to say that a known vulnerability in a third party media player was to blame. The streaming service Plex has been named by some reports, as it experienced its own data breach just days after the initial LastPass incursion. The attacker was able to access the DevOps engineer’s personal device in this way and install a keylogger, which yielded the credentials that led to the stolen data.
LastPass has announced various security improvements as a result of the breach, but its overall handling of the incident has already cost it customers and may be financially crippling. While the loss of employee credentials may be an understandable cause in terms of a long breach window (as intrusions are very hard to detect when the traffic does not look unusual), the public has a right to feel that the company has not been nearly as forthright or responsive to the incident as it should have been given the seriousness of the data that was compromised. For organizations, there is a lesson here about exactly how free of a hand employee personal devices should have in accessing internal resources.