The 2022 breach of LastPass involved a hack on a DevOps engineer to steal password vault data.

LastPass has provided more details on a “coordinated second attack” that resulted in the theft of customer data and partially encrypted password vault data from Amazon AWS cloud storage servers over a period of two months.

In December, LastPass announced that it had experienced a breach, and the company has now explained how the threat actors carried out this attack. Using information from a previous breach, another data breach, and a remote code execution vulnerability, the attackers installed a keylogger on a senior DevOps engineer’s device. This enabled them to capture the employee’s master password and gain access to LastPass’ corporate vault. The attackers then used the stolen data to gain access to the company’s encrypted Amazon S3 buckets.

LastPass disclosed that the hackers were able to steal data from their cloud storage servers between August 12, 2022, and October 26, 2022. The attackers used valid credentials, making it difficult for investigators to detect their activity. LastPass has since updated its security posture, and a large amount of data was stolen during the incident.

The company has released a detailed list of the data that was accessed and has created support documents for its customers and business administrators containing recommended actions.