LastPass has published more details regarding its December 2022 breach, saying that hackers gained access to its systems by infecting an engineer's computer with a keylogger.
Hackers stole a decryption key from the engineer.
- Only four DevOps engineers had access to LastPasss' Amazon S3 buckets credentials.
- Hackers targeted all of them, successfully managing to breach one using a remote code execution vulnerability.
- Since the first breach attempt on Aug. 12, 2022, the threat actor has conducted information theft and operations activities that didn't stop until Oct. 26, 2022.
- Using the information they stole during the first and second waves of cyberattacks, the threat actor concluded the operation in December.
- Some of the information that hackers managed to steal from the multiple cyberattacks is:
- 14 of the total 200 software repositories,
- Internal scripts from the repositories,
- Technical information that described how the development environment operated,
- Summary of data accessed in Incident 2,
- DevOps Secrets,
- Contained configuration data,
- API secrets,
- third-party integration secrets,
- customer metadata,
- backups of all customer vault data.
- Backup of LastPass MFA/Federation Database, contained copies of LastPass Authenticator seeds,
- telephone numbers used for the MFA backup option, etc.
