The large data breach that LastPass suffered last year, when hackers stole copies of its customers’ vaults, has already shaken trust in password managers. Now, there’s more.
LastPass disclosed in December 2022 that a severe data breach allowed threat actors to access encrypted password vaults, take the data, and then try to decrypt it.
The August incident left the password manager, worryingly late to report it, struggling to maintain its slick reputation. A survey of over a thousand Americans by Security.org, a website that tests cybersecurity products, said LastPass slipped from being the most popular manager in 2021 to fourth place in 2022.
LastPass now has more to say, and it’s even more concerning. It turns out that the same adversary launched another attack on the company’s systems.
The initial intrusion into LastPass ended on August 12. But the company now says that the threat actor “was actively engaged in a new series of reconnaissance, enumeration, and exfiltration activity” from August 12 to October 26.
In the process, the attacker hacked an employee’s home computer and obtained a decrypted vault available to only a few staff members. Said worker was one of its DevOps engineers.
"The threat actor leveraged information stolen during the first incident, information available from a third-party data breach, and a vulnerability in a third-party media software package, to launch a coordinated second attack," the password management service said.
Once in possession of the decrypted vault, the threat actor exported the entries, including the “decryption keys needed to access the AWS S3 LastPass production backups, other cloud-based storage resources, and some related critical database backups.”
LastPass’s update said that the tactics, techniques, and procedures used in the first incident were different from those used in the second. That’s why it wasn’t initially clear to investigators that the two were directly related.
Last year LastPass claimed no data had been breached, and that turned out not to be true. Experts were and remain extremely critical of the company for not being more honest about the impact of the hack in its disclosures.
When LastPass decided to disclose the real scale of the breach, most experts urged the firm’s customers to change their master passwords and all passwords stored in their vaults. The threat actor may not have accessed either, but it’s better to be safe than sorry.
“When selecting a password manager, choose one that works across all of your platforms and devices and encrypts all of the data in your vault. And be sure that you choose a strong and unique main password for your password manager itself, to keep your credentials secure,” Gary Orenstein, chief customer officer at password management service provider Bitwarden told Cybernews in January.
More from Cybernews:
Subscribe to our newsletter