Hackers targeted a LastPass DevOps engineer’s personal computer and exploited a vulnerability in third-party media player software. This allowed the hacker to install keylogging software that would record the employee’s keystrokes. The hacker was able to capture the employee’s master password as it was typed in and gain access to the engineer’s corporate LastPass vault.
The hacker then exported the data stored in the corporate vault which contained passwords, decryption keys needed to access the AWS S3 LastPass production backups, other cloud-based storage resources, and critical database backups. AWS GuardDuty alerted the LastPass security team to the anomalous behaviour as the hacker performed unauthorised activities.
LastPass has been battling a persistent threat actor since August 2022 with the help of Mandiant, a Google-owned cybersecurity company. The incident that occurred late last year resulted in the theft of the company's source code and customers' password vaults.
The company has published a list of the data that was compromised across all their recent security breaches. The security community has noted that LastPass has made efforts to hide this page from search engines by adding <meta name="robots" content="noindex"> to the pages source code.
Incident management operations are still underway at LastPass and the company has carried out a wide range of checks in light of this new breach including rotating certificates, adding more logging and alerting, hardening their AWS S3 buckets, enabling conditional access policies and much more. A full list is available in their support article.