Good grief, LastPass, could we go a month without hearing about a security failure from you folks? Keeping people’s personal info safe is literally your whole deal. The company’s latest statement on its highly-publicized hacks from 2022 shows that one of the key components of the incident was an employee’s home computer. In layman’s terms: a high-ranking employee was less than diligent with their personal machine.
According to the details of the investigation posted on LastPass’s support system (notably not in a press release or similar statement), the company says that one of its DevOps engineers was compromised via their home PC, which was specifically targeted and exploited using a “vulnerable third-party media software package.” Once that was achieved, the hackers used a keylogger to get the employee’s master password, which then gave them access to Amazon Web Service encryption keys and LastPass’s own encrypted shared data.
As noted by Ars Technica, LastPass’s full investigation points to a coordinated effort using multiple techniques to target both broad and specific vectors for the company. It’s a sophisticated attack that happened in stages across multiple months. And anyone who’s brought work home can attest that it’s tempting to be less than diligent when it comes to tight corporate security.
But once again, if your entire business model is built on ensuring your users that their personal data is safe with you, then any kind of security failure is a massive breach of trust. Apropos of nothing, readers might want to check out PCWorld’s roundup of the best password managers. LastPass is no longer our top pick.