Last year’s devastating breach of LastPass has been traced back to a piece of keylogging malware that was secretly installed on an employee’s home computer.
On Monday, LastPass provided(Opens in a new window) more details on the breach, which has shattered trust in one of the most popular password managers on the market. The company lost encrypted password vault data for all customers to a hacker who was secretly poking around LastPass’ systems for weeks.
One lingering question had been how the culprit broke into LastPass, despite its various security safeguards. The company held its encrypted password vault data in a cloud-based backup system, which required both Amazon AWS Access Keys and the LastPass-generated decryption keys in order to enter.
In Monday’s update(Opens in a new window), LastPass added that only four DevOps engineers at the company possessed the necessary decryption keys through a “highly restricted set of shared folders.” However, the hacker circumvented the company’s security safeguards by serving malware to one of the DevOps engineers at their home.
“This was accomplished by targeting the DevOps engineer’s home computer and exploiting a vulnerable third-party media software package, which enabled remote code execution capability and allowed the threat actor to implant keylogger malware,” LastPass said.
The malware then recorded the keystrokes on the engineer’s computer, enabling the hacker to capture the master password for the employee’s password vault at LastPass. The same malware appears to have helped the hacker bypass the multi-factor authentication on the account, which contained the decryption keys required to access LastPass’s cloud backup system.
LastPass didn’t name the “vulnerable third-party media software package.” But according(Opens in a new window) to Ars Technica, the vulnerable software was Plex, which can help consumers construct a media server to stream videos at home. (In August, Plex suffered its own breach, which involved a database containing user password information.)
The hacker was also able to target the DevOps engineer at LastPass after conducting an earlier breach on the company back in August involving its source code repositories. During the initial breach, the hacker hijacked a LastPass software engineer’s laptop, although it remains unclear how this was done. Still, the forensic evidence shows the culprit shut down the antivirus on the software engineer’s computer to remain hidden, LastPass said in Monday’s update.
The new report from LastPass indicates the hacker possessed some serious computer infiltration skills. In addition, the report shows how an employee’s home computer can be exploited to break into a major company.
Recommended by Our Editors
LastPass CEO Karim Toubba also notes that many customers have been frustrated with the company’s “inability to communicate more immediately, more clearly, and more comprehensively throughout this event.” The company initially announced the breach on Dec. 22, almost two months after the hacker had left LastPass’s internal systems.
“I accept the criticism and take full responsibility. We have learned a great deal and are committed to communicating more effectively going forward. Today’s update is a demonstration of that commitment,” he wrote in a post(Opens in a new window) to customers. The company has also made numerous changes, including installing new security technologies, following the breaches. Despite the pledge, many users on social media have reported switching to other password managers.
For more, check out What Really Happens In a Data Breach (and What You Can Do About It) and How to Switch to a New Password Manager.
Like What You’re Reading?
Sign up for SecurityWatch newsletter for our top privacy and security stories delivered right to your inbox.
This newsletter may contain advertising, deals, or affiliate links. Subscribing to a newsletter indicates your consent to our Terms of Use and Privacy Policy. You may unsubscribe from the newsletters at any time.
Hits: 0
