The threat actors who broke into password management firm LastPass's development environment last August used information gathered from that incident for a follow-on attack, the company confirmed. The cyberattackers were able to access and exfiltrate data from an encrypted cloud storage service housing a backup of LastPass customer and vault data.

To pull off the heist, the adversaries targeted a home computer belonging to one of four DevOps engineers at LastPass who had the decryption keys needed to access a broader set of LastPass customer and encrypted vault data housed in encrypted Amazon S3 cloud storage buckets. 

The engineer's machine had a vulnerable third-party media player that the attacker exploited to gain access to the computer and install a keylogger on it. The malware eventually enabled the threat actor to gain access to the DevOps engineer's corporate vault and to export the decryption keys needed to access the AWS S3 LastPass production backups, LastPass said.

Attacker Had Access to Broad Range of Data

The DevOps engineer's credentials and keys allowed the threat actor to access a broad range of encrypted and unencrypted data — including password vault data — housed in the AWS S3 storage environment, LastPass announced this week. The backup data included configuration information, API and third-party integration secrets, customer metadata, and backups of all customer vault data. However, LastPass described most of the sensitive data in the customer vaults as encrypted and readable only with a unique decryption key derived from each end user's master passwords. 

"As a reminder, end user master passwords are never known to LastPass and are not stored or maintained by LastPass — therefore, they were not included in the exfiltrated data," the company said.

In addition, the attacker also accessed a backup of a database containing LastPass multifactor authentication (MFA) and federation information. The database included MFA seeds assigned to users when they first registered their MFA authenticator with LastPass, hashes of customer generated one-time passwords (OTPs), and so-called split knowledge components or K2 keys associated with business customers. The secrets that business customers use to integrate third-party MFA vendors such as Duo Security with LastPass were also affected. 

"This database was encrypted, but the separately-stored decryption key was included in the secrets stolen by the threat actor," LastPass said, which has offered up a complete description of all affected data.

Latest Twist in Unfolding Tale

The update sent out Feb. 27 is the latest twist in a breach tale that has been slowly growing in scope since last August, when LastPass disclosed that it had spotted unusual activity on its network. At the time, the password management firm said threat actors had broken into its cloud development environment via a compromised software engineer's laptop and stolen some source code and other proprietary technical information. In updates in November and December, LastPass said the same threat actors had used information obtained in the August incident to access and decrypt a limited number of storage volumes within the cloud-based storage service.

LastPass' most recent update is unlikely to win the company any new fans in the security industry, especially because of how the scope of the incident has kept changing with each disclosure. When it first reported the breach last August, company CEO Karim Toubba described it as limited to the company's development environment and claimed the company had "achieved a state of containment." In its subsequent updates, the company reassured users about the separation between its development and production environments and why their information was therefore safe. With this week's announcement, LastPass said the attack on its cloud storage environment had overlapped with the attack on the development environment.

"The company now has a history of breaches and, depending on how you count, this is the third in less than a year," says Eric Noonan, CEO of CyberSheath. At a tactical level, it's hard to know what they might have done better, because information about the breaches have been relatively scant, he says. "In the bigger scheme of things this is what CISA, and other accountable government agencies are talking about when they say product companies have a responsibility to build security and safety into their products prior to unleashing them on the public," Noonan says.

Review Master Passwords

The company has advocated that business customers and individual customers review their master passwords and change them if necessary. Users who have followed the company's previous recommendations for setting a master password should be safe from brute-force guessing methods.

The attack is further proof of how inextricably linked enterprise security has become with the security of the networks and devices that employees use at home, security experts say.

CISOs must understand the implications of a personal device compromise, a home network being wide open, or personal compromise impacting the company, says Chris Pierson, CEO and founder of BlackCloak. "The risks are no longer theoretical and never have been," Pierson says. "Because corporate environments have become so well fortified, cybercriminals are moving to the lowest-hanging fruit," which are often are the personal devices of key employees and executives, he says.

A survey that BlackCloak conducted recently found that the personal desktops, mobile, and tablet computing devices that key corporate executives use often are vulnerable and lack basic protections. BlackCloak's data showed, for instance, that 76% of executives' personal devices leak data actively, 87% of executives' personal devices have no security installed on them, and 23% of executives have open ports at home. The survey showed that 87% of executives use passwords that are currently leaked on the Dark Web, 54% do not use a password manager, and social media sites and data brokers have a lot of information that attackers can use to social engineer them.

Focusing on Home Users & Devices

Attacks like the one LastPass disclosed this week highlight why security teams need to focus more on protecting employees from account takeover attacks wherever they are and whatever device they might be using, says Avi Turgeman, CEO and co-founder of IronVest. 

"They need to take a more holistic approach to protecting [employees against] all critical vulnerabilities," Turgeman tells Dark Reading. This includes implementing measures such as identity authentication, access management, post-login protection, 2FA/MFA protection, and phishing. "Eighty percent of data breaches are a result of compromised credentials," he notes.