LastPass Hack: Developer Was Targeted At Home

LastPass has revealed details of a second breach of the password manager’s data, in which a key employee was targeted at home.

The LastPass hack happened last August, resulting in the theft of partially encrypted customer data. It has now revealed details of a second strike in which one of only four employees who had access to the decryption keys required to access the company’s cloud storage was attacked via his home network.

According to LastPass’s account of the so-called Incident 2, the successful attack “was accomplished by targeting the DevOps engineer’s home computer and exploiting a vulnerable third-party media software package”.

The statement went on to explain that this enabled “remote code execution capability and allowed the threat actor to implant keylogger malware”.

This meant the attacker could “capture the employee’s master password as it was entered, after the employee authenticated with MFA [multi-factor authentication], and gain access to the DevOps engineer’s LastPass corporate vault”.

The so-called threat actor was consequently able to to access “LastPass production backups, other cloud-based storage resources, and some related critical database backups”.

attack didn’t set off alarms

The Amazon cloud service that LastPass uses issues alerts when unauthorised users attempt to gain access to the company’s data. But because the attacker had managed to gain access using a key employee’s credentials, alerts weren’t set off and logged activity didn’t look irregular.

“The threat actor was able to leverage valid credentials stolen from a senior DevOps engineer to access a shared cloud-storage environment, which initially made it difficult for investigators to differentiate between threat actor activity and ongoing legitimate activity,” LastPass’s account states.

LastPass adds that it has taken a series of additional security measures since the attack. These include helping the targeted engineer to harden the security on their home network, revoking and reissuing certificates obtained by the attacker and strengthening security on the Amazon cloud storage.

LastPass has also published a series of recommended security steps that both consumer and business customers should take in the wake of the LastPass hack. We summarise the business recommendations below.

The LastPass attack has seriously dented the company’s reputation, not least for the amount of time it took to publish full details of last summer’s breach.

The company is (inevitably) facing a class action lawsuit in the US from one customer who claims to have had $53,000 worth of cryptocurrency stolen after the private keys to his Bitcoin transactions were stored in the password manager.

Read next: After 17 year of cloud computing, what lessons have we learned?

lastpass hack advice to businesses

  • Enable policies that ensure each end user creates a strong and unique password. 
  • Identify users who are using weak passwords using the Admin console. 
  • Communicate with users about risks of phishing and social engineering.
  • Pay particular attention to “super admins”, ensuring they follow best practice. 
  • Take a risk-based approach when it comes to super admins’ power. 
  • Enforce MFA for super admins and non-federated users.
Avatar photo
Barry Collins

Barry has 20 years of experience working on national newspapers, websites and magazines. He was editor of PC Pro and is co-editor and co-owner of He has published a number of articles on TechFinitive covering data, innovation and cybersecurity.