The LastPass hack from August last year turned out to be a bit more extensive than we initially thought. Intruders don’t just mess with encrypted password folders that store sensitive information like usernames, passwords, and associated URLs. They were also given access to a LastPass employee’s home computer. This allowed attackers to break into a decrypted vault that only a handful of employees had access to.

After the August 2022 hack, LastPass first made it clear that no customer passwords were stolen. At the end of last year, the password manager returned to this. The company acknowledged that during the August attack, attackers made off with password folders containing sensitive information such as usernames and passwords with associated URLs. Now the LastPass hack seems to have a little more foothold in the ground.

The same attacker struck again

While a previous attack ended on August 12th, LastPass reports that the attacker remained active between August 12th and 26th. These days, the unknown burglar managed to steal proof of work from a senior DevOps engineer. The hacker did this by exploiting a vulnerability in the external Plex software installed on the employee’s home computer, Ars Technica reports.

The hacked DevOps engineer was one of only four LastPass employees who had access to the vault. Among other things, this storage contained encryption keys for AWS S3 LastPass backups, other cloud-based content, and a number of important database backups. Once the attacker had access, they exported the contents of that vault.

Because the workings of the second incident were very different from the workings of the first attack, security researchers did not immediately realize that the two attacks were linked. In the second incident, the intruder used the information gleaned from the first hack to delve even deeper into LastPass.