LastPass is a popular password manager that has suffered more than its fair share of data breaches. Information has now come to light regarding the latest LastPass data breach which was reported here by our own John Durso in December: LastPass Hacker Gets Vault Data
Apparently, a work-from-home employee’s PC was compromised via a vulnerability in a third-party media player, which was exploited to deploy a keylogger. Once the keylogger was deployed it was just a matter of time until the employee logged in using their official credentials and, bingo… the hacker had all he/she needed to access the employee’s corporate vault. The following is an excerpt from the LastPass report:
The threat actor targeted a senior DevOps engineer’s remote PC by exploiting vulnerable third-party software. The threat actor leveraged the vulnerability to deliver malware, bypass existing controls, and ultimately gain unauthorized access to cloud backups. The data accessed from those backups included system configuration data, API secrets, third-party integration secrets, and encrypted and unencrypted LastPass customer data ~ <source>
As I have repeated many times over, in order to be successfully delivered most malware requires some sort of inadvertent action on the part of the user, and in corporate environments involving multiple networked computers operated by multiple users, that risk is elevated no end. Even though the LastPass vault was not breached directly, it’s remarkable to think that remote employees are not better educated so as to avoid these types of third-party breaches. In fact, it’s inconceivable that what is essentially a work PC, including highly sensitive material, is not maintained completely separately from the employee’s own personal requirements.
LastPass has stated that it’s now in the process of hardening the DevOps engineer’s home network security. While that is certainly a step in the right direction, surely these types of employees who are working from home with sensitive information should be ordered to maintain two completely separate PCs – one for work requirements ONLY, and another for personal use.
What LastPass Users Need To Do
If you’re a LastPass user and have already taken remedial action as per LastPass’s bulletin, you’re all good. However, if you’re just finding out about this now, you need to follow John Durso’s advice from his earlier article:
- Change the LastPass master password
- Turn on LastPass multi-factor authentication if it is not turned on
- Change all critical website passwords (email, financial institutions, credit cards, etc.)
Stay safe out there.