One of the big names in password managers, LastPass, was breached last August. At the time, the company claimed that no user data was compromised.
An update in December revealed the hackers then launched a phishing campaign against a LastPass employee, obtaining credentials and keys they used to decrypt some basic customer data, but passwords or usernames remained safe.
Are you still reeling from those past attacks? LastPass just shared some more bad news. If you’re a customer, you will want to read this.
Popular password manager hacked again
In a post titled “Incident 2 – Additional details of the attack,” LastPass announced that the second attack was more damaging than initially thought. The following is a timeline of events.
The first attack
In August, LastPass announced that a threat actor gained unauthorized access through a single compromised developer account. The hacker stole encrypted LastPass credentials, source code and proprietary LastPass technical information.
LastPass said customer data was safe, as the decryption keys can only be retrieved from the following:
- Closely guarded on-premises data centers.
- A highly restricted set of shared folders in a LastPass password manager vault used by just four DevOps engineers for administrative duties.
This attack concluded on Aug. 12, 2022.
The second attack
The hackers then launched a phishing campaign against an employee, obtaining credentials and keys, which they used to access and decrypt storage volumes within the cloud-based storage service.
The virtual storage contained basic customer account information and related metadata, including company names, end-user names, billing addresses, email addresses, telephone numbers and IP addresses from which customers accessed LastPass.
The second attack ran from Aug. 12 to Oct. 26, 2022.
RELATED: Protect your phone: Steps to take if your device is lost, stolen, or broken
What we know now
During the second attack, the threat actor used information gleaned from the first to steal credentials from one of the four senior DevOps engineers with access to the shared folders containing decryption keys. This was done before LastPass reset the system following the first attack.
To investigators, the threat actor activity resembled legitimate activity, so they didn’t catch on until it was too late.
The attacker targeted the DevOps engineer’s home computer and exploited vulnerable third-party media software, enabling remote code execution. The attacker installed keylogger malware and captured the employee’s master password as they entered it following multi-factor authentication.
The threat actor then gained access to the DevOps engineer’s LastPass corporate vault, which contained encrypted and unencrypted LastPass customer data.
A security bulletin from LastPass CEO Karim Toubba states that end user master passwords were not compromised due to LastPass’ zero-knowledge architecture — only you have that information.
What to do after another LastPass hack
You can argue that LastPass will be stronger following these incidents. The company is implementing a slew of security measures, such as helping the hacked DevOps Engineer strengthen their home network security.
We have to ask: Why was this information available on the employee’s home computer to begin with? It’s hard to come to terms with a company when the trust is broken. If you’re a LastPass customer, you should change your master password immediately.
Regardless of whether you use LastPass or not, here are some precautions to take:
- Use strong, unique passwords: Go here for 10 valuable password tips.
- Never use the same password for multiple accounts: Through a technique known as credential stuffing, hackers use the same stolen passwords on different services, hoping to find duplications.
- Where available, always use two-factor authentication: This additional security measure makes it difficult for hackers to break into accounts without the security code sent to your phone or an authentication app. Here’s more information on 2FA.
- Antivirus is vital: Always have a trusted antivirus program updated and running on all your devices. We recommend our sponsor, TotalAV. Right now, get an annual plan with TotalAV for only $19 at ProtectWithKim.com. That’s over 85% off the regular price!
Pro tip: How to securely share passwords
This messaging app was leaking customer voice data. Is it on your phone?