Already smarting from a breach that put partially encrypted login data into a threat actor’s hands, LastPass on Monday said that the same attacker hacked an employee’s home computer and obtained a decrypted vault available to only a handful of company developers.
Although an initial intrusion into LastPass ended on August 12, officials with the leading password manager said the threat actor “was actively engaged in a new series of reconnaissance, enumeration, and exfiltration activity” from August 12 to August 26. In the process, the unknown threat actor was able to steal valid credentials from a senior DevOps engineer and access the contents of a LastPass data vault. Among other things, the vault gave access to a shared cloud-storage environment that contained the encryption keys for customer vault backups stored in Amazon S3 buckets.
Another bombshell drops
“This was accomplished by targeting the DevOps engineer’s home computer and exploiting a vulnerable third-party media software package, which enabled remote code execution capability and allowed the threat actor to implant keylogger malware,” LastPass officials wrote. “The threat actor was able to capture the employee’s master password as it was entered, after the employee authenticated with MFA, and gain access to the DevOps engineer’s LastPass corporate vault.”
The hacked DevOps engineer was one of only four LastPass employees with access to the corporate vault. Once in possession of the decrypted vault, the threat actor exported the entries, including the “decryption keys needed to access the AWS S3 LastPass production backups, other cloud-based storage resources, and some related critical database backups.”
Monday’s update comes two months after LastPass issued a previous bombshell update that for the first time said that, contrary to previous assertions, the attackers had obtained customer vault data containing both encrypted and plaintext data. LastPass said then that the threat actor had also obtained a cloud storage access key and dual storage container decryption keys, allowing for the copying of customer vault backup data from the encrypted storage container.
There are two separate vault breaches here.
1) LastPass internally uses LastPass to keep their Amazon S3 login information. This internal LastPass Vault itself the logins to LastPass' internal Amazon account. One LastPass dev had access to this internal dev vault and was allowed to install Plex, which had a major security vulnerability. The hackers installed a keylogger onto that developer's PC and extracted that dev's Master Password and MFA code to the LastPass internal vault. Thus, the LastPass internal vault was immediately decrypted. Because they stole that dev's Master Password + MFA.
If hackers install a keylogger onto a developer's system, then hackers can steal passwords and immediately decrypt any of that user's vaults. That LastPass dev had nobody else's Master Password.
2) Well, that dev's vault was damn valuable. Because now the hackers used that developer's now-decrypted Amazon S3 login and extracted 30 million encrypted consumer vaults stored on Amazon S3 (because LastPass backed up encrypted consumer vaults to Amazon S3). This is all the consumer data.
TL;DR: the hackers keylogged the Master Password of a LastPass employee, not of any consumers. So that LastPass employee's vault was immediately decrypted. Essentially, the LastPass dev accidentally gave away access to his entire PC & work credentials.
//
Encrypted LastPass vaults aren't safe by default, however. If your vault had low iteration counts (e.g., 1 or 500) and a short, non-machine-generated Master Password plus stored juicy things the hackers might want (crypto logins, bank logins), then your vault is more likely a higher priority to be guessed / brute-forced.
A helpful note: some people keep saying "But the accounts had AES-256! Nobody can crack that!" Imagine your LastPass Vault has 100-feet steel walls (that's AES-256) and a locked door (that's the Master Password).
The hackers will not try to drill through the massive walls; they will try billions or even trillions of keys on the door.