LastPass data theft
LastPass data theft: DevOps engineer hacked to steal password

LastPass, a popular password management service, has revealed that it was hit by a coordinated second attack in 2022. The result was LastPass data theft from its Amazon AWS cloud storage servers for over two months. The company disclosed a breach in December 2022, where hackers stole partially encrypted password vault data and customer information. LastPass now offers additional information on the attack. It includes threat actors, information stolen in an August breach, data from another data breach. It also includes a remote code execution vulnerability to install a keylogger on a senior DevOps engineer’s computer.

Company disclosure on LastPass data theft

The company discloses that the hackers are using data stolen. It is in a use to gain access to the encrypted Amazon S3 buckets. As only four DevOps engineers had access to the decryption keys, the hackers targeted one of the engineers. The threat actors were successful to install a keylogger on the employee’s device. It was done by exploiting a remote code execution vulnerability in a third-party media software package. This allowed the hackers to capture the employee’s master password. It led to gaining access to the DevOps engineer’s LastPass corporate vault.

The hackers then exported the native corporate vault entries and content of shared folders, which contained encrypted secure notes with access and decryption keys needed to access the AWS S3 LastPass production backups, other cloud-based storage resources, and some related critical database backups.

The use of valid credentials made it challenging for the company’s investigators. It was hard to detect the threat actor’s activity that allows to steal data from LastPass’ cloud storage servers. It was for over two months, between August 12, 2022, to October 26, 2022.

Detection story of LastPass data theft

LastPass ultimately detected the anomalous behavior through AWS GuardDuty Alerts when the threat actor attempted to use Cloud Identity and Access Management (IAM) roles to perform unauthorized activity. The company has since updated its security posture, including rotating sensitive credentials and authentication keys/tokens, revoking certificates, adding additional logging and alerting, and enforcing stricter security policies.

As part of the disclosure, LastPass released more detailed information on the customer data stolen in the attack. Depending on the particular customer, this data ranged from Multifactor Authentication (MFA) seeds, MFA API integration secrets, and to Split knowledge component (“K2”) Key for Federated business customers. All sensitive customer vault data, other than URLs, file paths to installed LastPass Windows or macOS software, and certain use cases involving email addresses, were encrypted using the company’s Zero knowledge model and can only be decrypted with a unique encryption key derived from each user’s master password. End user master passwords are never known to LastPass and are not stored or maintained by LastPass, therefore, they were not included in the exfiltrated data.

LastPass has released a PDF titled “What actions should you take to protect yourself or your business,” which contains further steps customers can perform to protect their environments.

Summary of stolen data

Incident 1:

  • On-demand, cloud-based development and source code repositories – 14 out of 200 software repositories
  • Internal scripts from the repositories – these contained LastPass secrets and certificates.
  • Internal documentation – technical information that described how the development environment operated.

Incident 2:

  • DevOps Secrets – restricted secrets that were used to gain access to the cloud-based backup storage.
  • Cloud-based backup storage – contained configuration data, API secrets, third-party integration secrets, customer metadata, and backups of all customer vault data.
  • Backup of LastPass MFA/Federation Database – contained copies of LastPass Authenticator seeds, telephone numbers used for the MFA backup option (if enabled), as well as a split