Vulnerable software on a remote worker’s home PC was part of the reason password manager LastPass got hacked in 2022, leading to backups of encrypted customer password vaults being accessed by attackers.

LastPass recently published a detailed rundown of the breach that – along with the vault backups – saw customer data such as names, billing and email addresses, and phone numbers stolen.

It said there were two security incidents which appeared unrelated, partly because alerts and logs didn’t show “the anomalous behaviour that became clearer in retrospect”.

“Specifically,” LastPass said, “the threat actor was able to leverage valid credentials stolen from a senior DevOps engineer to access a shared cloud-storage environment, which initially made it difficult for investigators to differentiate between threat actor activity and ongoing legitimate activity.”

That DevOps engineer was one of four people who had access to a specific set of decryption keys.

These decryption keys, stored in the engineer’s LastPass vault – along with a set of Amazon Web Services (AWS) Access Keys – would open the AWS S3 storage buckets on which were the encrypted backups of customer vaults.

After first compromising a corporate employee laptop to steal source code, user credentials and understand how LastPass’s cloud is configured, the attacker identified and targeted the home PC of a DevOps engineer who had the AWS decryption keys.

The hacker then exploited “a vulnerable third-party media software package, which enabled remote code execution capability” and installed a keylogger.

“The threat actor was able to capture the employee’s master password as it was entered, after the employee authenticated with [multi-factor authentication] MFA, and gain access to the DevOps engineer’s LastPass corporate vault,” LastPass said.

“The threat actor then exported the native corporate vault entries and content of shared folders, which contained encrypted secure notes with access and decryption keys needed to access the AWS S3 LastPass production backups, other cloud-based storage resources, and some related critical database backups.”

According to PC Mag, the vulnerability on the worker’s home computer was in a version of Plex Media Server that had been discovered three years ago and was long since patched.

LastPass said it has since rotated high level credentials and “assisted the DevOps Engineer with hardening the security of their home network and personal resources”.

Hack the vault

It was a near nightmare scenario for LastPass which, as with all password managers, offer the promise of better online security by letting users easily use varied, more secure passwords when logging into services.

By using a password manager, users don’t need to remember different passwords for every account and therefore it lowers the risk that a breach of one organisation’s security will expose the password you use for everything else.

But the existence of these password vaults containing passwords and other documents means the likes of LastPass are a high-value target for sophisticated attackers.

LastPass insists the stolen backups were encrypted in a way that “can only be decrypted with a unique encryption key derived from each user’s master password” which is never known by the company.

Chair of the ACS Cyber Security Committee Louay Ghashash said he was caught up in the LastPass breach but is confident his secure master password keeps his password safe.

“If you are using LastPass or any vendor and have a simple master key, you are shooting yourself in the foot,” he told Information Age.

While Ghashash was critical of the way LastPass failed to limit administrator privileges, he said some of the broader criticism of the company was misguided.

“People are saying you switch to other vendors, but I don’t think that’s right way to do that. You don’t know how secure other vendors are; they could be the same or worse,” he said.

“All these security solutions solve a problem but come with their own risk. As long as you implement best practice, by using complex passwords and enabling MFA, the benefit will far outweigh the risk.”