LastPass Shares Details of Connected Security Breaches

LastPass CEO Karim Toubba has announced that the password management company suffered a security breach last month, with attackers making off with unencrypted customer account data and customer vaults containing encrypted usernames and passwords.

This could be a nightmare situation for LastPass, but most users shouldn’t be at significant risk because the company’s Zero Knowledgesecurity architecture prevents it from having access to or knowledge of a user’s master password—the stolen data doesn’t contain any master passwords. This safeguard should prevent the attackers from decrypting the stolen usernames and passwords.

LastPass has been transparent about the breach, posting when it happened and following up this week with additional details. Although LastPass’s on-premises production environment was not breached, the attacker was able to leverage information captured in an earlier breach of a developer’s account in August 2022 to target another employee’s account in order to steal data from cloud-based storage that LastPass used for backup.

This incident highlights weaknesses in LastPass’s approach to security. The stolen data included unencrypted customer account information (names, addresses, and phone numbers, but not credit card details) and encrypted customer vault data. LastPass secures usernames, passwords, secure notes, and form-filled data using 256-bit AES encryption, and they can be decrypted only with a unique encryption key derived from each user’s master password. Within user vaults, however, website URLs associated with password entries weren’t encrypted.

LastPass relies entirely on that user-selected master password to secure encrypted data. Even though the company has hardened minimum requirements for setting passwords, users can set master passwords weak enough to be susceptible to cracking attempts. Apple’s iCloud Keychain, 1Password’s cloud-based storage, and some other solutions mix device-based keys with master passwords or account logins for far greater resistance—an attacker has to obtain and unlock a device in addition to compromising a vault or account password.

What Actions Should LastPass Users Take?

As long as you used your LastPass master password only at LastPass and retained the company’s default settings, LastPass does not recommend any actions at this time. (The defaults require a minimum of 12-character master passwords and specify a high number of iterations in a password-strengthening algorithm.)

A brute-force decryption might be successful against your master password if you reused it on another site that had been compromised, set one that’s fewer than 12 characters (never do that!), or lowered the default password-strengthening settings. If any of those are true, change your master password immediately and turn on multifactor authentication. (Use the LastPass Authenticator app: for instructions, click Features & Tools and then Multifactor Authentication in the LastPass support portal.)

Because the vaults were stolen, nothing you do can protect the integrity of that data, which is already in the hands of the thieves. LastPass suggests people at risk of having their master password cracked consider changing passwords on stored websites. Start with the most critical accounts that could be used to impersonate you, like email, cell phone, and social media, plus those that contain financial data. If you’re worried, change passwords more broadly. (Typically, you never need to change unique, strong passwords, but here your core secrets were stolen, even if they remain encrypted.)

Those with weak master passwords should also change them and enable multifactor authentication for their LastPass accounts. Even though the horse is out of the barn, you can get a new horse and secure the door behind it: possible future breaches are less likely to affect you if you have updated the passwords stored in your vault and have secured them with a new strong, unique password.

Regardless of the strength of their master passwords, LastPass users must now be especially alert for additional phishing attacks. Since LastPass vault backups did not encrypt website URLs, phishers can combine them with an email address associated with your unencrypted account information.

If you are at all uncertain that an email or text message that links to a login page isn’t legitimate, navigate to the website directly in your browser and log in using links on the site. Don’t trust URL previews—it’s too easy to fake domain names in ways that are nearly impossible to identify. Particularly watch out for credit-card warnings and package-tracking alerts—both are ready paths for phishers in the best of times and even more likely to fool users during the holiday season.

Questions and Concerns

Obviously, LastPass made mistakes here, but at least the company is being transparent about what happened. It doesn’t seem as though LastPass was cavalier about security—this sounds like a sophisticated, multi-prong attack that took months to carry out. It’s a worthwhile lesson for all organizations to realize that targeted attacks on one employee and then another ultimately allowed the breach of massive amounts of data. Nonetheless, the outcome raises questions and concerns.

Should LastPass users consider switching to another password management solution? 

The main argument I could make for switching is that the attackers could continue to exploit the stolen information to compromise LastPass’s systems again. LastPass hardened its system in response to the August breach of one developer’s account, but that wasn’t sufficient to stymie the November attack on the second employee.

Conversely, as far as we know, LastPass’s Zero Knowledge architecture remains secure, so if you’re comfortable with the strength of your master password and you trust LastPass’s overall architecture, you should be able to continue using it with no additional worry.

As someone who has used LastPass for many years as my primary solution—Tonya uses 1Password, and we share a family vault with Tristan there too—I’m not planning to switch away from LastPass based on this breach alone. However, I have been having a few other irritations with LastPass—password-free authentication failing on the Apple Watch and its Chrome extension frequently becoming corrupted (see “Chrome Extensions Disappearing? Click Repair,” 24 August 2021)—so the breach may push me to another solution, likely 1Password.

Is this breach an indictment of the entire concept of cloud-based password management services? 

While some would undoubtedly say yes, arguing that locally managed passwords are not susceptible to attacks on a company, the issue has more to do with how cloud-based data is secured. While LastPass doesn’t hold the encryption keys to your data, its encryption method isn’t truly “end-to-end” because all the encryption power is locked in a key that can be entered anywhere, rather than requiring all or some components to be held solely on devices. You can put a strong lock on a treasure chest, but if it can be picked by a determined party, it’s not as effective as a lock secured by yet another, fiendishly more difficult lock.

Swearing off cloud-based storage in favor of locally managed passwords also presumes you wouldn’t fall prey to phishing or other attacks that target you randomly instead of specifically. The LastPass breach required direct attacks on specific employees, but scattershot attacks can be automated or distributed broadly via malware—the attackers don’t know or care who their victims are.

Plus, cloud-based systems provide two compelling features: syncing among multiple devices and platforms and sharing particular passwords with other users of the same system. Syncing is fairly easy to replicate using iCloud, Dropbox, or the like, but password sharing with other people generally requires some sort of shared account.

Are other password managers vulnerable to similar attacks?

I wouldn’t think so. The LastPass breach relied on previously stolen information that provided access to secondary backup storage thanks to credentials and information stolen in attacks targeting individual employees. It was a custom attack and couldn’t be used against other firms. And LastPass’s reliance on a single master password also puts its users’ data at unique risk.

That said, I have to assume that all password management services are under near-constant attack because, to paraphrase bank robber Willie Sutton, that’s where the passwords are. These companies may consider such attacks business as usual, or they may be using LastPass’s incident as an excuse to reexamine their security practices to make sure they haven’t missed anything. LastPass presumably didn’t think it had missed anything before August 2022.

When will passkeys eliminate problems like this? 

I don’t know, but it can’t happen soon enough. See “Why Passkeys Will Be Simpler and More Secure Than Passwords,” (27 June 2022).