The popular password manager LastPass faced a major attack last year that compromised sensitive data of its users, including passwords. Back in December, the company shared a statement confirming that attackers obtained such data and that users should change their passwords. Now LastPass has revealed that the incident was caused by credentials stolen from a DevOps engineer.
Engineer’s home computer led to LastPass security breach
As shared in a blog post (via ArsTechnica), there was a coordinated attack in August 2022 in which hackers were able to access and steal data from Amazon AWS cloud servers. More specifically, the credentials for the servers were stolen from a DevOps engineer who had access to cloud storage at the company. This made it more difficult for LastPass to detect the suspicious activity.
Interestingly, ArsTechnica heard from sources that the engineer’s computer was hacked through a vulnerability found in the Plex media platform. Twelve days after the LastPass attack, Plex confirmed that it had also suffered an attack that resulted in 15 million users’ passwords being stolen.
The servers accessed by the attackers contained backups of LastPass customers and encrypted vault data. Here’s what the company says:
This was accomplished by targeting the DevOps engineer’s home computer and exploiting a vulnerable third-party media software package, which enabled remote code execution capability and allowed the threat actor to implant keylogger malware. The threat actor was able to capture the employee’s master password as it was entered, after the employee authenticated with MFA, and gain access to the DevOps engineer’s LastPass corporate vault.
Following the incident, LastPass has taken a number of steps to prevent future attacks along with investigating what happened. The engineer was assisted in strengthening the security of their personal network while new multifactor authentications were added to LastPass’ systems. In addition, certificates obtained by the hackers have been revoked.
Change your passwords now
If you’re a LastPass user, the company strongly advises you to change all your passwords stored on the platform. The master password for the LastPass vault should also be changed. According to LastPass, the platform now has over 30 million users and over 100,000 corporate customers.
It’s worth noting that LastPass has a free version available, but some features require a subscription. More details can be found on the LastPass website.
FTC: We use income earning auto affiliate links. More.