“The threat actor was able to capture the employee’s master password as it was entered, after the employee authenticated with MFA, and gain access to the DevOps engineer’s LastPass corporate vault,” LastPass said.
#Lastpass security breach 2023 software#
The hacker then exploited “a vulnerable third-party media software package, which enabled remote code execution capability” and installed a keylogger. These decryption keys, stored in the engineer’s LastPass vault – along with a set of Amazon Web Services (AWS) Access Keys – would open the AWS S3 storage buckets on which were the encrypted backups of customer vaults.Īfter first compromising a corporate employee laptop to steal source code, user credentials and understand how LastPass’s cloud is configured, the attacker identified and targeted the home PC of a DevOps engineer who had the AWS decryption keys.
That DevOps engineer was one of four people who had access to a specific set of decryption keys. “Specifically,” LastPass said, “the threat actor was able to leverage valid credentials stolen from a senior DevOps engineer to access a shared cloud-storage environment, which initially made it difficult for investigators to differentiate between threat actor activity and ongoing legitimate activity.” It said there were two security incidents which appeared unrelated, partly because alerts and logs didn’t show “the anomalous behaviour that became clearer in retrospect”. LastPass recently published a detailed rundown of the breach that – along with the vault backups – saw customer data such as names, billing and email addresses, and phone numbers stolen.
Vulnerable software on a remote worker’s home PC was part of the reason password manager LastPass got hacked in 2022, leading to backups of encrypted customer password vaults being accessed by attackers.
0 kommentar(er)
