LastPass — encrypted vault exfiltration

What happened

LastPass suffered two linked intrusions in 2022. The first, disclosed in August 2022, involved attackers gaining access to a LastPass developer’s workstation and compromising portions of source code and technical documentation. LastPass characterised this as contained. The second intrusion — which turned out to be a direct consequence of intelligence gathered during the first — was far more severe. Attackers used information from the August breach to identify and target a LastPass DevOps engineer who had privileged access to the company’s AWS-hosted backup environment. By compromising that engineer’s home computer with keylogger malware, they captured the credentials and decryption keys needed to reach the backup storage, and exfiltrated a complete copy of LastPass’s customer vault database.

LastPass disclosed the second incident in December 2022, initially describing it in cautious terms. Subsequent updates, following sustained pressure from security researchers and journalists, confirmed the full scope: the exfiltrated data includes each customer’s encrypted vault containing all their stored passwords, plus unencrypted metadata including website URLs, customer names, billing addresses, email addresses, telephone numbers, and IP addresses from which LastPass was last accessed. The vault contents themselves are encrypted using AES-256 with each customer’s master password as the key. The URLs stored alongside encrypted credentials are not encrypted and are therefore directly readable by anyone with the exfiltrated data.

By mid-2023, security researchers including Nick Bax, Brian Krebs, and Taylor Monahan had identified a pattern of cryptocurrency wallet thefts — more than 150 victims, more than $35 million stolen — that they attributed to offline cracking of master passwords from the stolen LastPass vault database. The thefts continued into 2024.

How it worked

The chain of compromise has three distinct links.

The first link was the August 2022 source-code breach. Attackers compromised a LastPass developer workstation — likely through a vulnerability in a third-party software package — and exfiltrated source code and technical documentation. Embedded within that material was information about LastPass’s internal architecture, including details about how its backup environment was structured and which internal roles had access to it.

The second link was the targeting of the DevOps engineer. Using the architectural intelligence from the first breach, attackers identified a specific employee with access to the AWS backup storage. That employee worked remotely. The employee’s home computer ran a vulnerable version of Plex Media Server — a consumer-grade media-streaming application — that had a known, unpatched remote-code-execution vulnerability. The attackers exploited the Plex vulnerability to install keylogger malware on the home computer. The home computer was also used for work; the employee had legitimate credentials for the LastPass AWS environment saved or accessible from it.

The third link was the vault exfiltration. The keylogger captured the DevOps engineer’s credentials for the AWS backup environment, including the decryption keys needed to access the encrypted backup storage. With those keys, the attackers were able to authenticate to AWS and download the customer vault database in bulk. The access appeared legitimate to AWS — it used genuine credentials from a genuine account — and did not trigger the alerts that anomalous access patterns might have generated.

The attack against the vault contents is ongoing and offline. The stolen vaults are encrypted files. The attackers — or anyone they sell the data to — can attempt to crack the master password for any given vault by running password-guessing software against it on commodity hardware. If the master password is short, common, or reused from a site where it has previously been breached, it will be cracked. The time required depends on password strength and the computational resources applied. Vaults protected by long, unique, randomly generated master passwords are not practically crackable with current technology. Vaults protected by weak master passwords are.

Timeline

• August 2022 — First intrusion. Attackers compromise a LastPass developer workstation and exfiltrate source code and internal technical documentation. LastPass discloses and characterises the incident as contained.
• October–November 2022 — Using intelligence from the first breach, attackers identify and target a LastPass DevOps engineer’s home computer via an unpatched Plex Media Server vulnerability. Keylogger installed.
• November 2022 — Attacker captures credentials and decryption keys for LastPass’s AWS backup storage. Bulk exfiltration of the customer vault database.
• 22 December 2022 — LastPass discloses the second incident, confirming customer vaults were exfiltrated but characterising vault contents as encrypted and secure.
• January–March 2023 — Subsequent updates, following researcher and press pressure, confirm the full scope: all vault contents, all metadata, all URLs exfiltrated.
• Mid-2023 — Security researchers publish analysis linking $35M+ in cryptocurrency wallet thefts to cracked LastPass master passwords.
• 2023–2024 — Thefts continue. Class-action litigation filed. Multiple former LastPass customers confirm losses traceable to the breach.

What defenders should learn

The home-computer attack surface is the first and perhaps least obvious lesson. The DevOps engineer’s home computer was not a managed enterprise device. It ran consumer software — a Plex Media Server — that had a known unpatched vulnerability. Many organisations that enforce strict patch and configuration standards on managed corporate devices have no equivalent control over the personal machines their staff use for remote work, even when those machines have access to production credentials. The proliferation of remote work since 2020 has made this gap larger and more consequential. Privileged-access devices should be managed devices, regardless of where they are physically located.

The credential storage pattern is the second lesson. The DevOps engineer’s credentials for the AWS environment were accessible from their home computer — probably saved in a browser or password manager on that machine. Any credential that grants access to a production environment containing all customer data is a tier-zero secret. Tier-zero secrets should not be stored on general-purpose endpoint devices, managed or otherwise. They should be stored in a dedicated secrets management system, accessed only from hardened privileged-access workstations, and used in combination with hardware-backed authentication that cannot be captured by a keylogger.

The encryption-only defence is the third and broadest lesson. LastPass’s response to the breach consistently emphasised that vault contents were encrypted. This is technically true and strategically insufficient. Encrypted data stolen in bulk is a perpetual offline-cracking target. The value of that stolen data does not decay — it increases as cracking hardware becomes cheaper and faster. Any security posture that relies on “the data is encrypted, so theft is acceptable” must confront the question of whether the encryption keys are adequate. For a password manager where the key is a human-chosen master password, the honest answer is: for many customers, no.

The unencrypted metadata is often overlooked in post-incident analyses but matters significantly. Website URLs are not encrypted in the exfiltrated data. An attacker with the vault database knows which websites each customer has accounts at — their bank, their brokerage, their healthcare portal, their email provider — without needing to crack a single password. That information is usable for targeted phishing, for social engineering, and for prioritising which vaults to crack first. The decision to leave URLs unencrypted was a deliberate design choice that traded functionality for security; the breach converted that trade-off into a direct harm.