Security News > 2023 > February > LastPass: Keylogger on home PC led to cracked corporate password vault
There's no date on the update, but as far as we can make out, LastPass just [2023-02-27] published a short document entitled Incident 2 - Additional details of the attack.
As you probably remember, because the bad news broke just before the Christmas holiday season in December 2022, LastPass suffered what's known in the jargon as a lateral movement attack.
The burning question, it seems, was, "How was that pivoting possible, given that the needed access credentials were locked up in a secure password vault to which only four developers had access?".
The threat actor was able to capture the employee's master password as it was entered, after the employee authenticated with MFA, and gain access to the DevOps engineer's LastPass corporate vault.
We're not fans of regular, forced password changes when there's no obvious need, just for the sake of change.
We are fans of a change early, change everywhere approach when you know that crooks have got in somewhere.