To obtain client credentials, a threat actor targeted a vulnerability on a high-level employee’s home computer and data from other breaches.
In connection with its 2022 breach, LastPass disclosed some instances that gave a threat actor access to and control over extremely sensitive customer account data stored on its Amazon Web Services storage servers during a planned, months-long campaign.
According to an advisory on the password manager’s support website, its research turned up several operations a threat actor carried out between August and October, including reconnaissance, enumeration, and exfiltration activities.
The threat actor gained access to numerous LastPass resources and backups using information acquired in an initial breach in August, information from a third-party breach, and a remote code execution vulnerability on a DevOps engineer’s private computer, the company claimed.
One of the four DevOps engineers who had access to the decryption keys required to access the cloud storage service was the target of the threat actor, according to LastPass. After the employee verified with MFA, the threat actor could record the employee’s master password as it was being entered and obtain access to the DevOps engineer’s LastPass corporate vault.
AWS production backups, resources, and some crucial database backups were all accessible to the threat actor through the intrusion, according to the company, which also allowed the threat actor to exfiltrate corporate vault entries and shared folders that contained encrypted notes with access and decryption keys.
Four months after the initial breach, LastPass announced that client data, including encrypted passwords, usernames, and form-filled data, had been seriously stolen.
The parent company of LastPass, GoTo, announced in January that a threat actor had stolen encrypted backups and an encryption key from the shared storage vault.
