The company behind the LastPass Password manager has revealed a second attack on user data that involved the hackers using information stolen in the first LastPass attack, information obtained from a third-party site, and a vulnerability in software installed on the computer of a LastPass engineer to once again breach the company security.
According to the company, “Our investigation has revealed that the threat actor pivoted from the first incident, which ended on August 12, 2022, but was actively engaged in a new series of reconnaissance, enumeration, and exfiltration activities aligned to the cloud storage environment spanning from August 12, 2022 to October 26, 2022.”
The hacker made off with credentials belonging to a senior DevOps engineer to access a shared cloud-storage environment, and the security at the company couldn’t distinguish between the hacker’s activity and legitimate activity from the engineer.
Since the hackers needed top-level clearance, they specifically targeted the home computer of a top-level engineer and exploited a flaw in software on that computer. That allowed them to implant keylogger malware that tracked the employee’s every keystroke and eventually revealed critical usernames and passwords.
The company says it has improved the home network security of employees and added additional multi-factor authentication steps to make it more difficult for hackers to breach their security.
LastPass’ own senior engineers didn’t use MFA??? No wonder they got hacked multiple times, forcing users to frantically change all our passwords! We jumped from that sinking ship to Dashlane in December, even though LastPass refused to refund our November subscription renewal. Don’t spend the money all in one place, LastPass, you won’t get any more from us.