Some of the best password managers understand their role perfectly — additional convenience for users without compromising their security. LastPass was counted among the best until recently, but a string of security incidents have stripped it of its credibility and reputation. Heaping insult on injury, another security incident at the company has now come to light, this time involving a senior employee’s home computer and Plex credentials.

To recall, LastPass suffered a breach in August last year, which allowed hackers to steal the password manager's source code. After an investigation, management maintained that user data was safe until another related security incident came to light in December 2022. It involved a breach of an employee's personal computer, which allowed access to backups of LastPass users' vaults. Barely two months have passed since this revelation, and LastPass now confirms the bad actors certainly have access to customer vault data.

The breached information includes plaintext data, encrypted text, website data like usernames and passwords, secure notes, and information for filling forms. LastPass explains it's now clear this attack is linked to the August breach, but that begs the question how an attack of this magnitude flew under the company's radar. LastPass' blog post says the hackers targeted one of its DevOps engineers. An anonymous source told Ars Technica the hackers exploited a vulnerability in Plex installed on the engineer's computer, allowing them to install keylogging malware. However, besides the one anonymous source, nothing ties Plex to the LastPass breach.

The keylogger captured the engineer’s Master Password for a LastPass vault used by other staffers. Only four people were allowed access to this internal-use vault, but unbeknownst to this engineer, the keylogger captured all the multi-factor authentication credentials and relayed them to the hackers. This now-decrypted corporate vault contained decryption keys for server-side encrypted Amazon Web Services (AWS) S3 production backups of customer vaults, critical LastPass database backups, and access to other cloud storage resources.

Although this breach was tied to the August incident, it remained undetected for this long because LastPass admits the modus operandi was different for both attacks, although they were related. It was only when the hacker used the data from the AWS S3 backups that the password manager’s researchers caught on to what was happening. Specifically, the bad actor used Identity and Access Management roles from the AWS S3 backup, tripping Amazon’s warning systems for unauthorized use.

We admire LastPass for its transparency and the faith it had in its own vaults, but unfortunately, we must strongly urge all its users to change their master passwords and stored passwords. If you’re adequately shaken by the company’s crumbling reputation these last few months, we have curated a list of the best LastPass alternatives while our colleague Karandeep stands firmly by Enpass.