In 2022, LastPass faced a harrowing sequence of security breaches that rocked the foundations of trust within the digital security landscape. The saga began in August when a threat actor infiltrated the corporate environment by exploiting a software engineer's compromised laptop, seizing control of critical source code and internal secrets. Despite the presence of a robust endpoint detection and response (EDR) system, the attack went unnoticed, showcasing the sophisticated tactics employed by the intruder. As if the first breach was not enough, a second incident unfolded, revealing the same actor's relentless pursuit of sensitive data. By exploiting vulnerabilities in a third-party application on a senior DevOps engineer's personal computer, the attacker managed to bypass multi-factor authentication and siphon off encrypted and unencrypted customer data, as well as crucial API secrets. This double-edged assault not only exposed vulnerabilities in LastPass's defenses but also raised alarming questions about the security of user data, prompting urgent responses from the company and igniting concerns among millions of users worldwide.

• Impact on Assets:

  • Unauthorized access to the cloud-based development environment led to the theft of source code, technical information, and internal system secrets.
  • Access to the DevOps engineer’s LastPass corporate vault resulted in exposure of system configuration data, API secrets, and customer data (both encrypted and unencrypted).
  • Backup of the LastPass MFA/Federation Database was accessed, compromising MFA seeds and telephone numbers.

• Organizational Impact:

  • The breaches disrupted internal operations, requiring a complete overhaul of the development environment.
  • Increased security measures demanded significant resource allocation and staff involvement, potentially diverting focus from regular operations.
  • Customer trust was jeopardized, necessitating extensive communication and support to manage user concerns and inquiries.
  • Potentially severe reputational damage could lead to long-term financial repercussions, although specific direct costs from the incident have not been disclosed.

Overall, the incidents have highlighted vulnerabilities within LastPass’s security framework, prompting a comprehensive response to mitigate future risks.

The attacks on LastPass occurred through a series of vulnerabilities exploited by a threat actor. Initially, the attacker gained access to a software engineer’s corporate laptop, the method of which remains unknown despite the laptop being properly configured with endpoint detection and response (EDR) software. This EDR was tampered with, failing to trigger alerts during the breach. By leveraging the engineer’s legitimate credentials, including multi-factor authentication (MFA), the attacker accessed a cloud-based development environment, stealing source code and internal secrets without triggering any security alarms.

In the second incident, the same threat actor targeted a senior DevOps engineer's home computer by exploiting a vulnerability in third-party media software, enabling remote code execution. This allowed the implantation of keylogger malware, which captured the employee’s master password as it was entered, granting access to the LastPass corporate vault. Despite alerting and logging being active, the use of legitimate credentials obscured the malicious activity, making detection challenging. Overall, the exploitation of both human and technical vulnerabilities facilitated unauthorized access to sensitive data, highlighting the need for enhanced security measures.

In response to the first security breach, LastPass collaborated with Mandiant and their internal security teams to address the incident. They built a new development environment, removing the compromised one to eliminate further risks. LastPass implemented enhanced security technologies and controls, which included changing all relevant clear text secrets and replacing any exposed certificates.

In the second incident, the malware was identified when investigators discovered that a senior DevOps engineer’s home computer had been compromised due to a vulnerable third-party media software package. The malware implanted was a keylogger that captured the engineer’s master password during authentication. Although alerting and logging were in place, the activity was not flagged as malicious because the threat actor had used legitimate credentials.

To prevent further damage, LastPass focused on enhancing their security posture, including deploying new security technologies, revoking compromised credentials, and implementing additional logging and alerting mechanisms.