The hacker implanted keylogger malware to capture the employee’s master password, which gave access for months before it was detected.
LastPass has shared more details on the recent cyberattack that saw customer data stolen from the company’s cloud storage.
The password management platform confirmed it suffered a data breach last December, after an “unknown threat actor” accessed its customer vault by using source code and technical information obtained from an earlier cyberattack in August.
In a recent incident report, LastPass said the threat actor was able to decrypt the information it had stolen in August by targeting a DevOps engineer. This engineer was one of four staff members that had access to the decryption keys needed to access the cloud storage service.
LastPass said the hacker achieved this goal by targeting the engineer’s home computer and exploiting a “vulnerable third-party media software package”, which allowed the threat actor to implant keylogger malware.
“The threat actor was able to capture the employee’s master password as it was entered, after the employee authenticated with MFA, and gain access to the DevOps engineer’s LastPass corporate vault,” LastPass said.
The hacker then used the data from this vault to access and steal data from a LastPass cloud storage environment. This activity occurred for two months, between 12 August and 26 October last year.
LastPass said it was difficult for investigators to differentiate between threat actor activity and ongoing legitimate activity, due to the hacker’s use of valid engineer credentials.
The company said it has upgraded its security measures in response to the breach, including additional logging and alerting across the cloud storage environment.
LastPass said it also assisted the DevOps engineer in hardening the security of their personal devices and home network.
The data breach led to customer information being stolen, including company names, user names and email addresses, along with encrypted sensitive information such as passwords.
LastPass owner GoTo also had some of its customer data stolen from the breach. This company also warned that the hacker may have stolen an encryption key, which could be used to unscramble some of the sensitive data.
Martin Mackay, the CRO of security company Versa Networks, said the hack should be a lesson to organisations that “any device is at risk”.
“People assume that if a personal home computer has nothing of value on it then it won’t be a target for cyber criminals, however, this is simply not true,” Mackay said.
“Threat actors will use any security gap or weakness to initially breach the network, and then move laterally across to their intended target – in this case it was corporate data from cloud storages.”
10 things you need to know direct to your inbox every weekday. Sign up for the Daily Brief, Silicon Republic’s digest of essential sci-tech news.