Last year’s devastating breach of LastPass has been traced back to a piece of keylogging malware that was secretly installed on an employee’s home computer.
On Monday, LastPass provided more details on the breach, which has shattered trust in one of the most popular password managers on the market. The company lost encrypted password vault data for all customers to a hacker who was secretly poking around LastPass’ systems for weeks.
One lingering question had been how the culprit broke into LastPass, despite its various security safeguards. The company held its encrypted password vault data in a cloud-based backup system, which required both Amazon AWS Access Keys and the LastPass-generated decryption keys in order to enter.
In Monday’s update, LastPass added that only four DevOps engineers at the company possessed the necessary decryption keys through a “highly restricted set of shared folders.” However, the hacker circumvented the company’s security safeguards by serving malware to one of the DevOps engineers at their home.
“This was accomplished by targeting the DevOps engineer’s home computer and exploiting a vulnerable third-party media software package, which enabled remote code execution capability and allowed the threat actor to implant keylogger malware,” LastPass said.
The malware then recorded the keystrokes on the engineer’s computer, enabling the hacker to capture the master password for the employee’s password vault at LastPass. The same malware appears to have helped the hacker bypass the multi-factor authentication on the account, which contained the decryption keys required to access LastPass’s cloud backup system.
LastPass didn’t name the “vulnerable third-party media software package.” But according to Ars Technica, the vulnerable software was Plex, which can help consumers construct a media server to stream videos at home. (In August, Plex suffered its own breach, which involved a database containing user password information.)
The hacker was also able to target the DevOps engineer at LastPass after conducting an earlier breach on the company back in August involving its source code repositories. During the initial breach, the hacker hijacked a LastPass software engineer’s laptop, although it remains unclear how this was done. Still, the forensic evidence shows the culprit shut down the antivirus on the software engineer’s computer to remain hidden, LastPass said in Monday’s update.
The new report from LastPass indicates the hacker possessed some serious computer infiltration skills. In addition, the report shows how an employee’s home computer can be exploited to break into a major company.
LastPass CEO Karim Toubba also notes that many customers have been frustrated with the company’s “inability to communicate more immediately, more clearly, and more comprehensively throughout this event.” The company initially announced the breach on Dec. 22, almost two months after the hacker had left LastPass's internal systems.
“I accept the criticism and take full responsibility. We have learned a great deal and are committed to communicating more effectively going forward. Today’s update is a demonstration of that commitment,” he wrote in a post to customers. The company has also made numerous changes, including installing new security technologies, following the breaches. Despite the pledge, many users on social media have reported switching to other password managers.
For more, check out What Really Happens In a Data Breach (and What You Can Do About It) and How to Switch to a New Password Manager.
UPDATE: In a statement, Plex told PCMag it hasn't received any information from LastPass about the hacking incident, which reportedly involved a vulnerability in Plex's streaming software.
"We are not aware of any unpatched vulnerabilities, and as always, we invite people to disclose issues to us," Plex said. "Given recent articles about the LastPass incident, although we are not aware of any unpatched vulnerabilities, we have reached out to LastPass to be sure."