LastPass he announced on Monday that the same attacker breached an employee's home computer and obtained an encrypted vault available to only a few company developers.
Although the original LastPass breach was supposed to have ended on August 12, officials said the hacker "actively engaged in a new series of identification, enumeration and exfiltration activities" from August 12 to August 26.
The unknown attacker was able to steal valid credentials from a senior DevOps engineer and gain access to the contents of a LastPass data vault. Among other things, the vault provided access to a shared cloud storage environment that contained the encryption keys for customer vault backups stored in Amazon S3 buckets.
"This was accomplished by targeting an engineer's home computer and exploiting a vulnerable third-party multimedia software package, which enabled remote code execution and allowed the attacker to implant keylogger malware," LastPass officials said. "The attacker was able to capture the employee's master password as he typed it, and gained access to the engineer's corporate LastPass vault."
The engineer whose computer was hacked was one of only four LastPass employees with access to the company vault. Once in possession of the decrypted vault, the attacker extracted the records, and the "decryption keys needed to access AWS S3 backups, other cloud-based storage resources and some relatively critical database backups."
