LastPass – Dev Env Breach → Source Code Recon → DevOps Home PC (Plex Exploit) → Keylogger → AWS S3 Vault Backup Exfil
A two-stage attack first compromised LastPass's development environment, then used the stolen technical knowledge to target a specific DevOps engineer — one of only four people with access to production decryption keys. The attacker exploited a years-old unpatched vulnerability in Plex Media Server on the engineer's personal home computer to install a keylogger, captured the master password, unlocked the engineer's personal LastPass vault, and used the cloud credentials inside to exfiltrate encrypted customer vault backups from AWS S3. The entire chain required no zero-days in LastPass's production infrastructure.
A LastPass software developer's endpoint was compromised via a third-party software package. The attacker used this foothold to access the developer's credentials and the shared development environment, exfiltrating source code, technical documentation, internal secrets, and some customer metadata. LastPass disclosed this breach in August 2022, describing it as a development environment incident with no customer data or vault content accessed. What wasn't known at the time: the stolen technical documentation would be used to plan Stage 2.
Customer impact at Stage 1: None disclosed — no production access, no vault data
Strategic value to attacker: Infrastructure topology, S3 bucket names, backup key architecture, target identity (DevOps engineer)
Using the documentation stolen in Stage 1, the attacker understood exactly how LastPass's production backup encryption worked: a small set of DevOps engineers held decryption keys for the production S3 backup environment. Only four employees had access. The attacker identified one of these four as the target for Stage 2 — choosing home infrastructure as the attack surface because personal endpoints are outside corporate MDM and EDR coverage.
Attack surface chosen: Personal home computer — outside corporate MDM, EDR, and monitoring
Intelligence source: Stage 1 stolen technical documentation and internal runbooks
The targeted DevOps engineer ran Plex Media Server on their personal home computer. The attacker exploited a known vulnerability in Plex that had been publicly disclosed years prior and had a patch available — but the engineer's home installation was unpatched. Plex itself disclosed separately that it had been notified of this exploitation and confirmed the CVE was over two years old with a patch available. The exploit provided remote code execution on the home machine.
Vulnerability age: Over 2 years old with patch available at time of exploitation
Attack surface: Personal home computer — no corporate EDR, no MDM, no monitoring
Result: Remote code execution on the DevOps engineer's home machine
Using the RCE foothold, the attacker installed a keylogger on the DevOps engineer's home PC. When the engineer next unlocked their personal LastPass vault, the master password was captured in plaintext. LastPass confirmed the keylogger captured the master password while the MFA was bypassed — the engineer's vault was on a personal device where MFA state was already trusted, meaning only the master password was needed to decrypt the local vault.
MFA bypass: Personal device was a trusted device — MFA not re-prompted at each vault unlock
What was captured: Master password for the DevOps engineer's personal LastPass vault
The attacker used the captured master password to decrypt the DevOps engineer's LastPass vault. Inside were the credentials the engineer used day-to-day: AWS IAM access keys, cloud infrastructure credentials, and the decryption keys for the LastPass production backup environment stored in S3. The vault effectively contained the keys to the kingdom — by targeting the one person whose vault was both accessible from a personal device and contained production credentials, the attacker bypassed all of LastPass's production security controls in a single step.
Irony: A password manager's own vault was the attack vector against its production infrastructure
Architectural failure: Production credentials stored in a personal vault on an unmanaged device
Using the AWS credentials from the decrypted vault, the attacker accessed LastPass's production S3 backup buckets and exfiltrated a copy of all encrypted customer vault backups. The backup files also contained unencrypted metadata: website URLs, usernames, billing information, IP addresses, and MFA seeds for some accounts. The encrypted vault data itself is protected by each customer's master password — but weak master passwords remain vulnerable to offline brute-force attacks against the exfiltrated data.
Unencrypted metadata also taken: Website URLs, usernames, billing data, IP history, MFA seeds
Ongoing risk: Offline brute-force attacks against encrypted vaults using weak master passwords
Also taken: API integration secrets, multi-factor authentication seeds, customer keys