A Top LastPass Engineer’s Home PC Got Pwned by a Hacker’s Keylogger
Beleaguered password manager LastPass has announced yet another serious security screwup and, this time, it may be the final straw for some users.
For months, the company has been periodically providing updates about a nasty data breach that occurred last August. At the time, LastPass revealed that a cybercriminal had managed to worm their way into the company’s development environment and steal some source code but claimed there was “no evidence” that any user data had been compromised as a result. Then, in December, the company made an update, revealing that, well, actually, yeah, certain user information had been compromised, but couldn’t share what, exactly, had been impacted. Several weeks later it did reveal what had been impacted: users’ vault data, which, under the right, extreme circumstances, could lead to total account compromises. And now, finally, LastPass has provided yet more details, revealing that the fallout from the breach was even worse than previously imagined. It’s probably enough to make some users run screaming for the hills.
Read more
According to a press release published Monday, the initial August data breach allowed the cybercriminal in question to hack into the home computer of one of LastPass’s most privileged employees—a senior DevOps engineer, and one of only four employees with access to decryption keys that could unlock the platform’s shared cloud environment. The hacker subsequently laced the engineer’s computer with a keylogger, which allowed them to steal their LastPass master password. Using the PW, the cybercriminal managed to break into the engineer’s password vault and, filching necessary decryption keys from the engineer’s account, proceeded to penetrate LastPass’s shared cloud environment, where they stole a whole load of important data.
The company admits that the hacker “exported the native corporate vault entries and content of shared folders, which contained encrypted secure notes with access and decryption keys needed to access the AWS S3 LastPass production backups, other cloud-based storage resources, and some related critical database backups.”
In short:…
