LastPass Hack: Developer Was Targeted At Home
LastPass has revealed details of a second breach of the password manager’s data, in which a key employee was targeted at home.
The LastPass hack happened last August, resulting in the theft of partially encrypted customer data. It has now revealed details of a second strike in which one of only four employees who had access to the decryption keys required to access the company’s cloud storage was attacked via his home network.
According to LastPass’s account of the so-called Incident 2, the successful attack “was accomplished by targeting the DevOps engineer’s home computer and exploiting a vulnerable third-party media software package”.
The statement went on to explain that this enabled “remote code execution capability and allowed the threat actor to implant keylogger malware”.
This meant the attacker could “capture the employee’s master password as it was entered, after the employee authenticated with MFA [multi-factor authentication], and gain access to the DevOps engineer’s LastPass corporate vault”.
The so-called threat actor was consequently able to to access “LastPass production backups, other cloud-based storage resources, and some related critical database backups”.
attack didn’t set off alarms
The Amazon cloud service that LastPass uses issues alerts when unauthorised users attempt to gain access to the company’s data. But because the attacker had managed to gain access using a key employee’s credentials, alerts weren’t set off and logged activity didn’t look irregular.
“The threat actor was able to leverage valid credentials stolen from a senior DevOps engineer to access a shared cloud-storage environment, which initially made it difficult for investigators to differentiate between threat actor activity and ongoing legitimate activity,” LastPass’s account states.
LastPass adds that it has taken a series of additional security measures since the attack. These include helping the targeted engineer to harden the security on their home network, revoking and reissuing certificates obtained by the attacker and strengthening security on the Amazon cloud storage.
LastPass has also published a series of recommended security steps that both consumer and business customers should take in the wake of the LastPass hack. We summarise the business recommendations below.
The LastPass attack has seriously dented the company’s reputation, not least for the amount of time it took to publish full details of last summer’s breach.
The company is (inevitably) facing a class action lawsuit in the US from one customer who claims to have had $53,000 worth of cryptocurrency stolen after the private keys to his Bitcoin transactions were stored in the password manager.
Read next: After 17 year of cloud computing, what lessons have we learned?
lastpass hack advice to businesses
- Enable policies that ensure each end user creates a strong and unique password.
- Identify users who are using weak passwords using the Admin console.
- Communicate with users about risks of phishing and social engineering.
- Pay particular attention to “super admins”, ensuring they follow best practice.
- Take a risk-based approach when it comes to super admins’ power.
- Enforce MFA for super admins and non-federated users.
Barry Collins
NEXT UP
Riken to integrate IBM’s quantum system with supercomputer Fugaku
IBM and Japanese laboratory Riken have announced an agreement to deploy IBM’s quantum system and integrate it with supercomputer Fugaku
Dear Lord, let this be the last World Password Day
Security expert Davey Winder explains why he wants this to be the last World Password Day ever and prays for World Passkey Day instead
Mark Allen, Head of Cybersecurity at CloudCoCo: “It’s alarming to witness the extent to which deepfakes can be weaponised”
Mark Allen, Head of Cybersecurity at CloudCoCo, provides what amounts to a step-by-step guide to keeping your business more secure against cyberattacks – including deepfakes