LastPass Data Breach: Overview of the Two Coordinated Attacks

LastPass, a popular password management service, recently disclosed a coordinated attack where a threat actor accessed and stole data from the company’s Amazon AWS cloud storage servers for over two months.

In this article, we will provide a detailed overview of the two coordinated attacks and the stolen data. We will also outline recommended actions for LastPass’ Free, Premium, and Business customers.

LastPass Data Breach with Second Coordinated Attack

LastPass Data Breach was first disclosed in December where partially encrypted password vault data and customer information were stolen.

The company has now revealed how the attackers performed this attack, stating that they used information stolen in an August breach, information from another data breach, and a remote code execution vulnerability.

Attackers Exploit Remote Code Execution Vulnerability

The attackers targeted one of LastPass’ four DevOps engineers who had access to the decryption keys for the encrypted Amazon S3 buckets. They ultimately installed a keylogger on the employee’s device by exploiting a remote code execution vulnerability in a third-party media software package.

This allowed the threat actor to capture the employee’s master password and gain access to the LastPass corporate vault.

Valid Credentials Used to in LastPass Data Breach

The use of valid credentials made it difficult for LastPass to detect the threat actor’s activity, allowing the hacker to access and steal data from the company’s cloud storage servers for over two months, between August 12, 2022, to October 26, 2022.

The anomalous behavior was eventually detected through AWS GuardDuty Alerts when the attacker attempted to use Cloud Identity and Access Management (IAM) roles to perform unauthorized activity.

LastPass Releases Detailed Information on Stolen Data

As part of their recent disclosure, LastPass has released more detailed information on the customer information that was stolen in the attack.

This data varies depending on the customer and includes Multifactor Authentication (MFA) seeds, MFA API integration secrets, and Split knowledge component (“K2”) Key for Federated business customers. LastPass also listed other sensitive customer data, including cloud-based backup storage containing configuration data, API secrets, third-party integration secrets, and customer metadata.

Recommended Actions for Customers

LastPass has released a PDF titled “Security Incident Update and Recommended Actions,” which contains further information about the breach and the stolen data.

The company has also created support documents containing recommended actions that should be taken for Free, Premium, and Families customers and LastPass Business Administrators. These bulletins contain recommended steps to harden your LastPass account and integration further.

LastPass has suffered two coordinated attacks, with the most recent attack allowing the attacker to steal data for over two months. The stolen data included customer information such as MFA seeds and API integration secrets.

LastPass has released recommended actions that should be taken by their customers to harden their accounts further. It is essential to follow these recommendations to mitigate the risk of future attacks.

Subscribe to our newsletter for daily alerts on cyber events, you can also follow us on Facebook, Linkedin, and Twitter. You can reach out to us via Twitter/ Facebook or mail us at admin@thecybersecuritytimes.com for advertising requests.