New updates have been shared on the LastPass breach.
TL;DR, it's likely not a second incident, and the story isn't getting any better. Reports now suggest it was a targeted attack against one of four LastPass Senior DevOps Engineers who had access to his/her team's LastPass corporate vault, containing vitally sensitive credentials to LastPass' cloud-based storage resources as well as decryption keys needed to access the AWS S3 production backups and "…some related critical database backups". Yep.
By targeting a vulnerability on the engineer's home computer, they were able to install a keylogger and from there, unravel access into the corporate environment in what will likely become one of the most significant attacks to be studied in recent history.
As is the case within many incident response engagements, it would seem this is subsequent discovery and scoping of the previously reported incident as teams involved work further back up the attack chain and piece timelines together. Confusingly, LastPass is positioning it as "Incident 2". Their update can be found here
This unfortunate circumstance is not behind us. There will be more details unfolding and plenty to learn from in the coming months. Kudos to LastPass for sharing details as they unfold. For me, this update poses more questions than it does answers, which I'll withhold for now. Like many, I am eager to just binge read the full story.
If your organization could use some help migrating to an enterprise-class password management solution, please reach out, we’d be happy to chat.