LastPass, which in December 2022 disclosed a serious data breach which allowed unknown authors to access various vaults of encrypted passwords; the platform said this happened following a second attack by the same attackers on its systems.

The company said one of its engineers DevOps had their personal (“home” so to speak) computer hacked and that infecting a keylogger as part of a protracted cyber-attack would have exfiltrated sensitive data from Amazon’s cloud storage servers, i.e. AWS.

What damage has occurred in this second round against LastPass?

“The attacker used information stolen during the first incident, information available from a third-party data breach, and a vulnerability in a third-party software package to launch a second coordinated attack“, has declared the password management service.

This intrusion targeted the company’s infrastructure, resources and one of his employees from 12 August 2022 to 26 October 2022; the original crash, on the other hand, concluded on August 12, 2022.

In the’August where such a breach occurred, the intruders gained access to the source code and proprietary technical information of their development environment through a single compromised employee account.

In December 2022, LastPass revealed that the attacker used the stolen information to access a cloud-based storage environment and obtain “certain elements of our customers’ information“.

Later that month, it was revealed that the attacker had obtained access to a backup of customer vault data, which the company says was protected using 256-bit AES encryption. Last Pass, however, has not revealed the date when the backup was made.

GoTo, the parent company of LastPass, has also admitted a violation last month resulting from unauthorized access to third-party cloud storage service.

Now, according to the company, the attacker of this cyberthreat has engaged in a new series of “reconnaissance, enumeration and exfiltration” activities targeting its cloud storage service between August and October 2022.

“Specifically, the attacker was able to exploit valid credentials stolen by a senior DevOps engineer to access a shared cloud storage environment“said LastPass, adding that the engineer “had access to the decryption keys needed to access the cloud storage service“.

This allowed the author(s) to gain access to the AWS S3 buckets that housed backups of LastPass customers’ encrypted vault data, the company said.

And how is the LastPass engineer doing?

The employee’s passwords were allegedly stolen by targeting this person’s computer and exploiting a “vulnerable third-party software package” to get remote code execution and install software keyloggers.

“The attacker was able to snag the employee’s master password as it was being entered, after the employee authenticated with MFA, and accessed the DevOps engineer’s LastPass corporate vaultLastPass said.

LastPass didn’t reveal the name of the third-party software it used, but indications suggest it could be based on Plex thanks to that Plex itself suffered a security breach itself in late August 2022.

At the end of the show, LastPass said that it has strengthened its security posture by rotating high-privilege and critical credentials and issuing new attacker-obtained certificates, and that it has applied additional S3 hardening measures to implement logging mechanisms and alarm.

Finally, if you are a LastPass user it is highly recommended that you change your master passwords and any passwords stored in their vaults to avoid risking the security of your accounts and data, and who knows… maybe using a notebook to store your credentials is safer by LastPass.

A site like LastPass appeals to many bad guys for an obvious reason: if many users enter their credentials, it means potentially having access to literally a quarter of the globe’s personal data.

This means: Facebook, Instagram, TikTok and various social accounts, bank accounts, cryptocurrency wallets and who knows what else. A real gold mine for a hacker who intends to steal not only data, but maybe even money with some “hijacking”.

That’s why in the end for something like this, laughing and joking, you will know that no one can hack a paper support.