Cyber Incident Victim: LastPass
Date:
Nov 2022
Location:
United States of America
Summary
A threat actor exploited information from a prior breach, third-party vulnerabilities, and compromised credentials to target a DevOps engineer's personal device, implanting keylogger malware to capture their master password and access corporate resources. This allowed exfiltration of decryption keys for cloud storage containing customer metadata—including names, emails, and billing addresses—and encrypted vault data, though sensitive fields remained secured via AES-256 encryption under a Zero Knowledge model. The incident also affected shared cloud storage with an affiliate, but unencrypted credit card data was not accessed. The attacker leveraged valid credentials and cloud environment weaknesses, evading initial detection by mimicking legitimate activity until anomalous behavior triggered security alerts.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 0 motives | 2 techniques |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
The August 2022 security incident at LastPass began when an unauthorized party compromised a developer's endpoint, gaining access to the isolated LastPass development environment over a four-day period. Though the initial compromise method remains undetermined, the threat actor impersonated the developer after successful multi-factor authentication, exfiltrating portions of source code and technical information. LastPass contained the incident by August 12, confirming no access to customer data, encrypted vaults, or production environments due to physical separation between development and production systems. The development environment lacked customer data entirely, and LastPass's Zero Knowledge architecture ensured master passwords remained inaccessible. Forensic analysis with Mandiant found no evidence of code tampering or malicious injections, as developer code pushes require separate build team validation. LastPass responded by decommissioning the entire development environment, rebuilding it from scratch, replacing developer machines, and enhancing endpoint security controls and monitoring.
The threat actor pivoted from the August incident to launch a second attack spanning August 12 to October 26, 2022, leveraging stolen credentials and technical information from the first breach. Targeting a senior DevOps engineer with home computer access, the attacker exploited a vulnerable third-party media software package to execute remote code and deploy keylogger malware. This captured the employee's master password post-MFA authentication, enabling access to the corporate LastPass vault containing AWS decryption keys. Using valid credentials and stolen keys, the threat actor exfiltrated backups from AWS S3 cloud storage—protected via S3-SSE, S3-KMS, and S3-SSE-C encryption—which housed customer account metadata (company names, billing addresses, email, IP addresses) and encrypted vault data containing both unencrypted URLs and encrypted credentials/secure notes. Detection was delayed as legitimate credentials masked anomalous activity until AWS GuardDuty alerts flagged unauthorized IAM role usage. LastPass initiated forensic imaging, rotated high-privilege credentials, revoked certificates, hardened AWS policies (IP restrictions, least privilege IAM roles), deleted obsolete users, implemented conditional MFA PIN matching, and deployed custom AWS abuse analytics. Customer vault data remained protected by 256-bit AES encryption with PBKDF2 key derivation, though brute-force attempts against weak master passwords were acknowledged as a risk. Law enforcement and regulators were notified, with under 3% of business customers advised to take specific actions based on their configurations.