A Top LastPass Engineer’s Home PC Got Pwned by a Hacker’s Keylogger

Beleaguered password manager LastPass has announced yet another serious security screwup and, this time, it may be the final straw for some users.

For months, the company has been periodically providing updates about a nasty data breach that occurred last August. At the time, LastPass revealed that a cybercriminal had managed to worm their way into the company’s development environment and steal some source code but claimed there was “no evidence” that any user data had been compromised as a result. Then, in December, the company made an update, revealing that, well, actually, yeah, certain user information had been compromised, but couldn’t share what, exactly, had been impacted. Several weeks later it did reveal what had been impacted: users’ vault data, which, under the right, extreme circumstances, could lead to total account compromises. And now, finally, LastPass has provided yet more details, revealing that the fallout from the breach was even worse than previously imagined. It’s probably enough to make some users run screaming for the hills.

According to a press release published Monday, the initial August data breach allowed the cybercriminal in question to hack into the home computer of one of LastPass’s most privileged employees—a senior DevOps engineer, and one of only four employees with access to decryption keys that could unlock the platform’s shared cloud environment. The hacker subsequently laced the engineer’s computer with a keylogger, which allowed them to steal their LastPass master password. Using the PW, the cybercriminal managed to break into the engineer’s password vault and, filching necessary decryption keys from the engineer’s account, proceeded to penetrate LastPass’s shared cloud environment, where they stole a whole load of important data.

The company admits that the hacker “exported the native corporate vault entries and content of shared folders, which contained encrypted secure notes with access and decryption keys needed to access the AWS S3 LastPass production backups, other cloud-based storage resources, and some related critical database backups.”

In short: yikes, yikes, yikes.

Suffice it to say, this isn’t going to make most of the platform’s customers very happy. The degree to which the cybercriminal was able to penetrate the company’s defenses is certainly unnerving. In fact, security reporter Joseph Cox at Motherboard is recommending that web users steer clear of LastPass altogether. In his article on the most recent revelations, Cox lays into the password manager for its security bungles, dodgy PR tactics, and lack of transparency:

LastPass, the popular password manager, is out of good will. Ever since the company first disclosed a breach in August, it has slowly provided consumers with drips of information, and the new details that do come out increasingly paint a picture of a company that should not be trusted with your passwords.

Cox finishes off his article by noting that “it’s time to find another password manager.” For more than a few users, they’re undoubtedly on the same page.