Security News > 2023 > February > LastPass Reveals Second Attack Resulting in Breach of Encrypted Password Vaults

LastPass, which in December 2022 disclosed a severe data breach that allowed threat actors to access encrypted password vaults, said it happened as a result of the same adversary launching a second attack on its systems.

"The threat actor leveraged information stolen during the first incident, information available from a third-party data breach, and a vulnerability in a third-party media software package to launch a coordinated second attack," the password management service said.

"Specifically, the threat actor was able to leverage valid credentials stolen from a senior DevOps engineer to access a shared cloud storage environment," LastPass said, adding the engineer "Had access to the decryption keys needed to access the cloud storage service."

"The threat actor was able to capture the employee's master password as it was entered, after the employee authenticated with MFA, and gain access to the DevOps engineer's LastPass corporate vault," LastPass said.

LastPass did not reveal the name of the third-party media software used, but indications are that it could be Plex based on the fact that it suffered a breach of its own in late August 2022.

LastPass users are highly recommended to change their master passwords and all the passwords stored in their vaults to mitigate potential risks, if not done already.

News URL

https://thehackernews.com/2023/02/lastpass-reveals-second-attack.html