LastPass says employee’s home computer was hacked and corporate vault taken

MuzzMelbourne

Level 15
Thread author
Verified
Top Poster
Well-known
Mar 13, 2022
599
Already smarting from a breach that put partially encrypted login data into a threat actor’s hands, LastPass on Monday said that the same attacker hacked an employee’s home computer and obtained a decrypted vault available to only a handful of company developers.

Although an initial intrusion into LastPass ended on August 12, officials with the leading password manager said the threat actor “was actively engaged in a new series of reconnaissance, enumeration, and exfiltration activity” from August 12 to August 26. In the process, the unknown threat actor was able to steal valid credentials from a senior DevOps engineer and access the contents of a LastPass data vault. Among other things, the vault gave access to a shared cloud-storage environment that contained the encryption keys for customer vault backups stored in Amazon S3 buckets.

“This was accomplished by targeting the DevOps engineer’s home computer and exploiting a vulnerable third-party media software package, which enabled remote code execution capability and allowed the threat actor to implant keylogger malware,” LastPass officials wrote. “The threat actor was able to capture the employee’s master password as it was entered, after the employee authenticated with MFA, and gain access to the DevOps engineer’s LastPass corporate vault.”
 

upnorth

Level 68
Verified
Top Poster
Malware Hunter
Well-known
Jul 27, 2015
5,458
According to a person briefed on a private report from LastPass and spoke on the condition of anonymity, the media software package that was exploited on the employee’s home computer was Plex. Interestingly, Plex reported its own network intrusion on August 24, just 12 days after the second incident commenced. The breach allowed the threat actor to access a proprietary database and make off with password data, usernames, and emails belonging to some of its 30 million customers. Plex is a major provider of media streaming services that allow users to stream movies and audio, play games, and access their own content hosted on home or on-premises media servers.
Same source as OP.

 

BigWrench

Level 19
Verified
Top Poster
Well-known
Apr 13, 2014
926
Fresh email from LastPass…….

Dear LastPass Customer, 

We are writing today to update you on our recent security incident disclosed on December 22. We have now completed an exhaustive investigation and have not seen any threat actor activity since October 26.

Earlier today, we posted an update to our blog with new findings and important information, including what happened and the actions we have taken, what data was accessed, what we have done to secure LastPass, actions we are recommending customers take to protect themselves or their businesses, and what you can expect from us going forward.

Given the volume of information we are sharing in the blog post, and to better assist our customers with their own incident-response efforts, we have prepared a Security Bulletin specifically for our Free, Premium, and Families consumer users to help guide you through a review of important LastPass settings designed to help secure your account by confirm best practices are being followed.  

Please review the Security Bulletin and make any necessary changes to your account.

In sharing these additional details today and in our approach going forward, we are determined to do right by our customers and communicate more effectively. We thank you for your patience and continued support of LastPass.

The Team at LastPass

✌️
 

Gandalf_The_Grey

Level 83
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Apr 24, 2016
7,256
Fresh email from LastPass…….

Dear LastPass Customer, 

We are writing today to update you on our recent security incident disclosed on December 22. We have now completed an exhaustive investigation and have not seen any threat actor activity since October 26.

Earlier today, we posted an update to our blog with new findings and important information, including what happened and the actions we have taken, what data was accessed, what we have done to secure LastPass, actions we are recommending customers take to protect themselves or their businesses, and what you can expect from us going forward.

Given the volume of information we are sharing in the blog post, and to better assist our customers with their own incident-response efforts, we have prepared a Security Bulletin specifically for our Free, Premium, and Families consumer users to help guide you through a review of important LastPass settings designed to help secure your account by confirm best practices are being followed.  

Please review the Security Bulletin and make any necessary changes to your account.

In sharing these additional details today and in our approach going forward, we are determined to do right by our customers and communicate more effectively. We thank you for your patience and continued support of LastPass.

The Team at LastPass

✌️
 

blackice

Level 39
Verified
Top Poster
Well-known
Apr 1, 2019
2,868
This is why the US government issues employees locked down laptops. I can’t even log into our HR system on my personal PC. It’s all tied to a credential card and pin.
 

TairikuOkami

Level 37
Verified
Top Poster
Content Creator
Well-known
May 13, 2017
2,638
At LastPass security is our number one priority. With local-only encryption, your data is encrypted and decrypted at the device level. Data stored in your vault is kept secret, even from LastPass.
Your master password, and the keys used to encrypt and decrypt data, are never sent to LastPass’ servers, and are never accessible by LastPass.
Monday’s update comes two months after LastPass issued a previous bombshell update that for the first time said that, contrary to previous assertions, the attackers had obtained customer vault data containing both encrypted and plaintext data. LastPass said then that the threat actor had also obtained a cloud storage access key and dual storage container decryption keys, allowing for the copying of customer vault backup data from the encrypted storage container.
The backup data contained both unencrypted data, such as website URLs, as well as website usernames and passwords, secure notes, and form-filled data, which had an additional layer of encryption using 256-bit AES. The new details explain how the threat actor obtained the S3 encryption keys.
This sums up online password managers. If you can access your passwords on multiple devices via the internet, anyone can.
The problem is not really that the dev was targeted, but that his account allows to access those data. So much for conspiracies.
 
F

ForgottenSeer 98186

This is why the US government issues employees locked down laptops. I can’t even log into our HR system on my personal PC. It’s all tied to a credential card and pin.
The conditional access system based upon the CAC is a joke. The US govt does not issue secure CAC scanners, if at all (subcontractors have to buy their own), and so CAC holders buy cheap scanners online that have malicious code that steals the data off the CAC. Tell that to the DoD which has multiple breaches across all 5 branches, along with at least 100,000+ stolen identities.

Great, use 2FA is part of their advice. Shame the DevOps Engineer didn't get the message.
The answer is a very simple one. LastPass did not put MFA authentication in front of the corporate vault. LastPass's enterprise security just required MFA for the initial authentication to the front system. That is not the DevOps Engineer's fault. He's not the LastPass security administrator. He's just the developer.

The problem is not really that the dev was targeted, but that his account allows to access those data. So much for conspiracies.
The DevOps Engineer needs access to corporate resources in the vault (which contained no user data) to work with the development pipeline. The threat actor got access to shared cloud resources. WIth a typical enterprise software vault costing about $20,000 each, no company with sane senior managers is going to buy 15 of them to segregate everything just so customers can "feel good." A company is going to buy a single software vault and stuff everything in there that they can. If LastPass customers want that to change and want much better security, then they need to reach deep into their pockets and start paying $75 or $100 per year for the service instead of $0.

It is one hell of a spectacle to watch the outrage over the compromise of a product whose user base are mostly freeloaders.

The public never wants to pay, and yet expects perfect security. When they are willing to pay, they're the biggest cheapskates, then turn around and point the finger and play the blame game.
 
  • Like
Reactions: R2D2 and Trident

upnorth

Level 68
Verified
Top Poster
Malware Hunter
Well-known
Jul 27, 2015
5,458
 

TuxTalk

Level 13
Verified
Top Poster
Well-known
Nov 9, 2022
604
LastRide is the better name now. They should quit their business and still have some pride then.
Even the Titanic did not have as much holes as LP.
 

Trident

Level 34
Verified
Top Poster
Well-known
Feb 7, 2023
2,349
It is one hell of a spectacle to watch the outrage over the compromise of a product whose user base are mostly freeloaders.

The public never wants to pay, and yet expects perfect security. When they are willing to pay, they're the biggest cheapskates, then turn around and point the finger and play the blame game.
Just like the argument that we had on the Comodo thread, you are right and not right.

Whether it’s free or paid software, they should ensure that good security practices are followed by all employees, devices and data are secured and the most critical information can’t be accessed from employee’s unmanaged PCs. This is highly sensitive data and keeping it safe should be somewhat of a priority. If a free model is not sustainable to achieve that then they should put a price tag on it.

But you can’t just gather users data for years (charging for very minor features that not everyone needs) and then after 3 breaches be like “Oopsie… well we are for free…”.
 

Jonny Quest

Level 22
Verified
Top Poster
Well-known
Mar 2, 2023
1,102
After all this fiasco, I totally deleted my LastPass account a couple of days ago. Even though that information is out there, it's still something proactive I could do on my part.
 

R2D2

Level 6
Verified
Well-known
Aug 7, 2017
270
At my request Support restored my account (family subs) that dates back to 2012 (they do NOT delete your account fully from the backend!), but I ain't going back to LP, ever.

Their verbose responses are not very convincing to me. They're are essentially playing a CYA PLUS a 'soothe customer feathers' operation & hoping it doesn't lead to wider legal repercussions given they got hacked numerous times in the past.
 

Jonny Quest

Level 22
Verified
Top Poster
Well-known
Mar 2, 2023
1,102
At my request Support restored my account (family subs) that dates back to 2012 (they do NOT delete your account fully from the backend!), but I ain't going back to LP, ever.

Their verbose responses are not very convincing to me. They're are essentially playing a CYA PLUS a 'soothe customer feathers' operation & hoping it doesn't lead to wider legal repercussions given they got hacked numerous times in the past.
They do not delete your account fully? Is this why I've gotten a couple of update emails from them, even though I supposedly totally deleted my account?
 

TuxTalk

Level 13
Verified
Top Poster
Well-known
Nov 9, 2022
604
The conditional access system based upon the CAC is a joke. The US govt does not issue secure CAC scanners, if at all (subcontractors have to buy their own), and so CAC holders buy cheap scanners online that have malicious code that steals the data off the CAC. Tell that to the DoD which has multiple breaches across all 5 branches, along with at least 100,000+ stolen identities.


The answer is a very simple one. LastPass did not put MFA authentication in front of the corporate vault. LastPass's enterprise security just required MFA for the initial authentication to the front system. That is not the DevOps Engineer's fault. He's not the LastPass security administrator. He's just the developer.


The DevOps Engineer needs access to corporate resources in the vault (which contained no user data) to work with the development pipeline. The threat actor got access to shared cloud resources. WIth a typical enterprise software vault costing about $20,000 each, no company with sane senior managers is going to buy 15 of them to segregate everything just so customers can "feel good." A company is going to buy a single software vault and stuff everything in there that they can. If LastPass customers want that to change and want much better security, then they need to reach deep into their pockets and start paying $75 or $100 per year for the service instead of $0.

It is one hell of a spectacle to watch the outrage over the compromise of a product whose user base are mostly freeloaders.

The public never wants to pay, and yet expects perfect security. When they are willing to pay, they're the biggest cheapskates, then turn around and point the finger and play the blame game.
Calm down dude..... or do you have stocks of them ?
 
F

ForgottenSeer 98186

Whether it’s free or paid software, they should ensure that good security practices are followed by all employees, devices and data are secured and the most critical information can’t be accessed from employee’s unmanaged PCs. This is highly sensitive data and keeping it safe should be somewhat of a priority. If a free model is not sustainable to achieve that then they should put a price tag on it.
The operative word is "should." They are not required to do anything. Strict security costs money and lots of it. So without enough revenue, shortcuts are taken and things are not done. People are not going to get the security that they want for $0 or $3 per month.

Nobody is required to provide secure software or a secure service. You can argue that they should do so on ethical grounds, but at the end of the day they only provide what they are legally required to provide. There is no contract between a software publisher or service provider and the general public. Their EULAs and terms of service basically state that everything is provided "As Is."

LastPass should charge a lot more than what it does now, and eliminate the free tier. But you know if they did that then the cheap public would not pay.

But you can’t just gather users data for years (charging for very minor features that not everyone needs) and then after 3 breaches be like “Oopsie… well we are for free…”.
They would never say "Oopsie... well we are for free..." but at that same time they used reasonable security and in their terms of service they are not responsible. If the government and general public want to put security responsibility onto software publishers and service providers, then those companies will just pass the increased costs onto the public - who are too cheap to pay. So those providers will be regulated out of existence and it will be the public that suffers as products leave the market with no one willing to assume the liability.

@Trident I am not saying that companies are not negligent. Because to some degree, it can be debated, all of them are. Except for some small company that is run by a security enthusiast who puts security as the company's first priority and willingly spends the big money for it, everybody else executes security imperfectly. Mistakes are made. Shortcuts are taken. Employees are not security-minded or thorough. Etc. Budgets are not sufficient. Security roles are understaffed.
 
Last edited by a moderator:
  • HaHa
  • Like
Reactions: Trident and TuxTalk

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top