While already dealing with a recent breach, LastPass now says the same attacker hacked an employee’s home computer and obtained access to a decrypted vault.
The unknown threat actor stole valid credentials from a senior DevOps engineer in order to access contents of the vault. The vault, which is only available to a small number of employees, gives access to data, including a shared cloud-storage environment containing the encryption keys for customer vault backups stored in Amazon S3 buckets. This means the hacker could copy the customer vault backup data from the encrypted storage container; the backup data also contains unencrypted data, like website URLs, website usernames and passwords, secure notes, and more.
The tactics, techniques, and procedures used in the first incident were different from this second incident, making it harder for investigators to determine if the two attacks were directly related. As was previously advised, LastPass users should change their master passwords and all passwords stored in their vaults as a precaution, since it is currently unknown if the threat actor has access. Learn more details about the breach here.