LastPass disclosed a series of incidents tied to its 2022 breach that allowed a threat actor to access and steal highly sensitive customer account data from its Amazon Web Services storage servers during a coordinated and monthslong campaign.

Its investigation revealed a series of activities a threat actor engaged in from August to October, including reconnaissance, enumeration and exfiltration activities, the password manager said Monday in an advisory on its support site.

The threat actor used information stolen in an initial breach in August, information from a third-party breach and a remote code execution vulnerability on a DevOps engineer’s home computer to gain access to multiple LastPass resources and backups, the company said.

“The threat actor targeted one of the four DevOps engineers who had access to the decryption keys needed to access the cloud storage service,” LastPass said. “The threat actor was able to capture the employee’s master password as it was entered, after the employee authenticated with MFA, and gain access to the DevOps engineer’s LastPass corporate vault.”

The intrusion allowed the threat actor to exfiltrate corporate vault entries and shared folders, which contained encrypted notes with access and decryption keys needed to access the company’s AWS production backups, resources and some critical database backups, the company said.

Four months after the initial breach, as 2022 came to a close, LastPass said customer data, including encrypted passwords, usernames and form-filled data was significantly compromised by the attack.

GoTo, the parent company of LastPass, in January confirmed a threat actor exfiltrated encrypted backups and an encryption key from the same storage vault that it shares with LastPass.