The security failure that led to the substantial fine and data exposure began with two interconnected security incidents starting in August 2022. The initial breach occurred when a hacker successfully compromised the laptop of a LastPass employee. Through this compromised device, the attacker managed to gain unauthorized access to portions of the company’s development environment.
Although no user personal data was immediately exfiltrated during this first stage, the attacker was able to download several key assets. These stolen items included LastPass’s source code, various pieces of proprietary technical information, and a set of encrypted company credentials. LastPass initially assessed the breach as contained because the decryption keys necessary to unlock these stolen credentials were believed to be securely stored in the password vaults of four separate senior employees.
However, the containment strategy failed almost immediately. On the day following the initial compromise, the attacker pivoted to target one of the four senior employees who possessed the critical decryption keys. The attacker exploited a known vulnerability in a third-party streaming application, which is understood to have been Plex, that was installed on the targeted employee’s personal device.
GET 50% Discount for VPN/ANTIVIRUS SOFTWARE AT 911Cyber - CODE: bit5025
This successful exploitation of the personal device allowed the hacker to deploy malware. This malware was subsequently used to capture the employee’s master password through a keylogger and, critically, to bypass multi-factor authentication by utilizing a session cookie that was already authenticated. Because the employee had used the exact same master password for both their personal password vault and their business password vault, the attacker was able to access the business vault.
Once inside the business vault, the attacker stole an Amazon Web Services access key and a decryption key. These keys, when combined with the source code and technical information stolen in the first breach, provided the attackers with the necessary means to breach the cloud storage provider GoTo. This final stage allowed the hackers to steal LastPass database backups that were stored on the GoTo platform, leading to the exposure of the user data and vaults.
Impressive breakdown of the attack chain. The reused master password between personal and business vaults is the real killshot here. I've seen similar breaches where credential hygeine was solid everywhere except that one pivot point. Worth noting that the session cookie bypass is getting more common, MFA fatigue or session hijacking bypasses are basically the new phishing.