LastPass breach: Hackers put malware on engineer's home computer to steal their password

The fallout from the LastPass hack continues, with the company revealing attackers gained access by hacking a senior engineer's home computer.
Written by Danny Palmer, Senior Writer
Thief reaching out to a phone showing the LastPass logo.
June Wan/ZDNET

LastPass has revealed that hackers stole a master password that they used to access highly restricted corporate databases and information by targeting a senior engineer's home computer. 

Also: Leaving LastPass? Here's how to get your passwords out

The password manager company first revealed that it had been hacked in August last year when it said attackers had accessed the development environment, taking portions of LastPass source code and some proprietary technical information. 

At the time, LastPass said there was no evidence that the attackers gained access to customer data or sensitive encrypted vaults.

But this changed last December, when LastPass revealed hackers had stolen vault data containing both encrypted and unencrypted data -- including information about customers. 

The company has now said attackers used information stolen during the first attack -- along with information stolen in other breaches and the exploitation of a cybersecurity vulnerability -- to power a second attack. 

Also: The best password managers for easily maintaining all your logins

This attack targeted one of only four senior DevOps engineers who had the required high-level security authentication necessary to use the decryption keys required to access the cloud storage service -- and the attackers did so by targeting their home computer. 

The exact details of how the attack happened haven't been disclosed, but LastPass said the DevOps engineer's home computer was targeted by attackers exploiting what's described as "a vulnerable third-party media software package", which let the attackers gain the privileges required for remote code execution. 

This tactic gave attackers the opportunity to install keylogger malware on the home computer, allowing them to monitor what the employee typed on their machine. They exploited this information to steal the master password to gain access to the corporate vault.  

According to LastPass, this access allowed the attackers to enter various shared instances, "which contained encrypted secure notes with access and decryption keys needed to access the AWS S3 LastPass production backups, other cloud-based storage resources, and some related critical database backups". 

Following the incident, LastPass says it "assisted the DevOps Engineer with hardening the security of their home network and personal resources". 

Also: Reddit was hit with a phishing attack. How it responded is a lesson for everyone

LastPass has upgraded its multi-factor authentication (MFA) by applying Microsoft's conditional access PIN-matching MFA, and the company is now rotating critical and high-privilege passwords that were known to the attackers, to reduce the chance of an additional breach. 

The company is also examining how the breach has potentially affected customers. 

"There are several additional workstreams underway to help secure our customers, which may require them to perform specific actions," Lastpass said

It's recommended that LastPass business administration users and other LastPass customers change their master password. This password should not be used to secure any other accounts. 

It's also recommended that MFA is applied to the account to reduce the chances of it being accessed. 

Editorial standards