In November-December 2022, attackers who had previously breached LastPass in August 2022 (stealing source code and technical documentation) used that information to identify and target a senior DevOps engineer who had access to LastPass’s cloud backup environment. The attackers exploited a known vulnerability in the Plex Media Server software (CVE-2023-15955) installed on the engineer’s personal home computer to deploy a keylogger, capturing the engineer’s LastPass master password and MFA authentication codes. Using the stolen credentials, attackers accessed the engineer’s LastPass corporate vault and extracted decryption keys for the AWS S3 cloud storage containing LastPass customer vault backups. The stolen data included encrypted customer password vaults, basic customer account information, billing addresses, email addresses, phone numbers, and partial credit card data. The password vaults were encrypted with AES-256, but the encryption was only as strong as each customer’s master password. LastPass disclosed the full extent of the breach in December 2022 and additional details in February-March 2023. The incident demonstrated a sophisticated two-stage attack: use stolen developer knowledge to identify and target an individual insider. Billions of password vaults — some with weak master passwords — were potentially crackable by offline brute force. Security researchers linked subsequent cryptocurrency thefts (totalling over $35 million) to cracked LastPass vaults. The FTC began an investigation into LastPass’s security practices.