This article examines the LastPass hack, detailing how attackers exploited vulnerabilities to access sensitive customer data. It emphasizes the importance of robust security measures in cloud computing and offers practical guidelines for detection and prevention. Affected: LastPass
Keypoints :
- LastPass is a SaaS provider specializing in password vault solutions.
- The hack involved the theft of customer encrypted passwords and sensitive information.
- Attackers accessed LastPass’s S3 bucket using stolen developer credentials.
- Multiple detection opportunities were identified to prevent the breach.
- Implementing least privilege access and multi-factor authentication is crucial for security.
MITRE Techniques :
- T1078: Valid Accounts – Attackers used stolen developer credentials to access the S3 bucket.
- T1071: Application Layer Protocol – Attackers accessed cloud resources over VPN to obfuscate their location.
- T1086: PowerShell – Potential use of backend code tampering to log customer master passwords.
- T1041: Exfiltration Over Command and Control Channel – Data exfiltration occurred from the S3 bucket.
- T1087: Account Discovery – Attackers likely performed reconnaissance and enumeration operations.
Indicator of Compromise :
- No IoC found
Full Research: https://cloudsecurityalliance.org/blog/2025/01/15/unpacking-the-lastpass-hack-a-case-study-from-csa-s-top-cloud-threats-report#