More Details Emerge in the LastPass Breach

Many users and those in the security community have been upset with LastPass since last August when it suffered a major breach. However, new information has come to light which suggests that LastPass was dealing with a complex adversary, and that maybe we should grant it some more leniency.

On December 22, LastPass disclosed that the cybercriminals behind the initial August breach had exploited the acquired information to infiltrate their systems once again in November. The hackers managed to copy a backup of partially encrypted customer vault data, which included website URLs, usernames, and passwords. In response, LastPass urged users to change all stored passwords as an added precaution, even though the company assured that the master passwords still protected the accounts.

But now, LastPass has revealed that the malicious actor behind both security incidents was actively involved in a series of reconnaissance and exfiltration activities from August 12th to October 26th. During this time, the attacker compromised the home network and home computer of one of only four employees with access to the master keys.  The attacker gained access to this last piece "[]by targeting the DevOps engineer's home computer and exploiting a vulnerable third-party media software package, which enabled remote code execution capability and allowed the threat actor to implant keylogger malware. The threat actor was able to capture the employee's master password as it was entered, after the employee authenticated with MFA, and gain access to the DevOps engineer's LastPass corporate vault."

None of the credentials have leaked or have been found for sale since the breach, meaning the exploitation of these materials is yet to come. The facts of the situation and the hoarding of the information suggest a complex adversary, potentially a nation-state actor.