LastPass was breached when a hacker installed a keylogger on an employee's home computer.

The hacker took advantage of a vulnerability in a third-party media software package to deploy malware on the employee's computer.

An investigation revealed that LastPass's breach last year was caused by a piece of keylogging malware installed on an employee's home computer.

LastPass published more information about the breach on Monday. This security incident compromised the encrypted password vault data of all customers, and it is believed that the hacker had been accessing their systems without detection for several weeks.

The mystery of how the perpetrator was able to access LastPass, despite its extensive security features, remained. LastPass stored its encrypted password vault data in a cloud-based backup system which necessitated both Amazon AWS Access Keys and LastPass-created decryption keys to gain entry.

In Monday's update, LastPass revealed that four DevOps engineers had access to the decryption keys via a "restricted set of shared folders." Nevertheless, the hacker was able to bypass the company's security features by infecting a DevOps engineer with malware while they were at home.

LastPass stated that a threat actor achieved their objective by attacking the DevOps engineer's home computer, making use of a vulnerable third-party media software package. This enabled remote code execution and the installation of keylogger malware.

The malware monitored the keystrokes on the engineer's computer, allowing the hacker to gain the master password for LastPass's employee vault. The same malware appeared to allow the hacker to dodge multi-factor authentication as well, which was necessary to decrypt and obtain authorization for accessing LastPass's cloud backup system.

LastPass did not identify the software responsible for the vulnerability. However, Ars Technica reported that the vulnerable software was Plex, which provides users with the capability of building media servers to access videos within their home networks. In August, Plex also experienced a breach concerning user password data in its database.

The hacker was already able to breach LastPass' source code repositories back in August. They then used a software engineer's laptop, though it is unknown how. Forensic evidence indicates the hacker shut down the antivirus on the device for continued privacy. LastPass commented on these findings on Monday.

The LastPass report reveals that the hacker had sophisticated computer infiltration capabilities and highlights how a home computer can be used to breach a major company's systems.

Karim Toubba, CEO of LastPass, has acknowledged that many customers were disappointed to not be informed about the breach until Dec. 22, despite the hacker leaving their internal systems two months prior.

The company has accepted the criticism and assumed full responsibility, promising to communicate better in the future. Actions taken include added security technologies due to breaches, yet many users have still switched to other password managers. Today's update is intended as a demonstration of that commitment.

UPDATE:Plex stated that they have not received any information from LastPass regarding the incident where a vulnerability in their streaming software was reported.

Plex has stated that they are not aware of any unpatched vulnerabilities, and have invited people to share any issues with them. In response to news about the LastPass incident, Plex has contacted LastPass to make sure they do not have any unpatched vulnerabilities.

Top Keyloggers 2023