Password management giant LastPass revealed more information on a “coordinated second attack,” where a threat actor accessed and stole data from the Amazon AWS cloud storage servers for two and a half months.
This saga started in August 2022, when LastPass CEO, Karim Toubba, confirmed that an “unauthorized party gained access to portions of the LastPass development environment,” and “took portions of source code and some proprietary LastPass technical information.” This incident had not compromised master passwords. Toubba updated the LastPass incident statement in September 2022 with further details of what the attacker had accessed. On November 30, 2022, Toubba updated that statement again: Company names, end-user names, billing addresses, email addresses, telephone numbers, and the IP addresses from which customers were accessing the LastPass service were accessed by the attacker. The attacker accessed both unencrypted data, such as website URLs, as well as fully-encrypted sensitive fields, such as website usernames and passwords, secure notes, and form-filled data. This meant that the attacker now had customer password vaults but not the means to open them, unless they tried known passwords from other breaches or weakly constructed master passwords.
On March 1, 2023, the company published another update, saying that threat actor breached “DevOps engineer’s home computer and exploiting a vulnerable third-party media software package, which enabled remote code execution capability and allowed the threat actor to implant keylogger malware. The threat actor was able to capture the employee’s master password as it was entered, after the employee authenticated with MFA, and gain access to the DevOps engineer’s LastPass corporate vault.”
LastPass ultimately detected the anomalous behavior through AWS GuardDuty Alerts, when the threat actor attempted to use Cloud Identity and Access Management (IAM) roles to perform unauthorized activity.
The complete list of the customer data that was breached is posted on this support page.
Read more about it here.