LastPass, the password management service, was recently hit by a massive breach that compromised partially encrypted password vault data and customer information. Last week, the company revealed that the attack was the result of one of its engineers failing to update Plex on their home computer, leaving a nearly three-year-old vulnerability unpatched and open to attack.

The breach took place between August and October 2022 and involved exploiting a keylogger malware that targeted the home computer of one of the four DevOps engineers at LastPass. The attackers used a now-patched flaw in Plex, a streaming media service, to achieve code execution on the engineer’s computer and obtain their credentials. This allowed the attackers to breach the cloud storage environment and exfiltrate sensitive data from LastPass’s Amazon AWS servers.

According to the company, this breach was the result of a coordinated second attack by an adversary that had already stolen information from an earlier incident that occurred before August 12, 2022, and had access to details available from a third-party data breach. The company said that this intrusion targeted its infrastructure, resources, and the aforementioned employee.

The original incident, which occurred in August 2022, saw the attackers access source code and proprietary technical information from LastPass’s development environment using a single compromised employee account. The December 2022 breach, on the other hand, involved the attackers leveraging the stolen information to access a cloud-based storage environment and obtain certain elements of LastPass customers’ information.

In the aftermath of the breach, LastPass parent company, GoTo, also revealed that it had been hit by a breach stemming from unauthorized access to a third-party cloud storage service. LastPass said that the attackers engaged in a new series of “reconnaissance, enumeration, and exfiltration activities” aimed at its cloud storage service between August and October 2022.

The threat actors were able to leverage valid credentials stolen from a senior DevOps engineer to access a shared cloud storage environment, which enabled them to obtain access to the AWS S3 buckets that housed backups of LastPass customer and encrypted vault data. The employee’s passwords were siphoned by targeting their home computer and leveraging a “vulnerable third-party media software package” to achieve remote code execution and plant a keylogger software.

In response to the breach, LastPass upgraded its security posture by rotating critical and high privilege credentials, reissuing certificates obtained by the threat actor, and applying extra S3 hardening measures to put in place logging and alerting mechanisms. However, LastPass users are highly recommended to change their master passwords and all the passwords stored in their vaults to mitigate potential risks if they haven’t done so already.

In conclusion, the LastPass breach was a sobering reminder of the dangers of failing to keep software up-to-date, and it highlights the importance of implementing robust security measures to protect against cyber threats.