Skip to Content

LastPass Breach Compromised Large Amounts of Sensitive Data

Updated on 2022-12-31: LastPass Breach Compromised Large Amounts of Sensitive Data

On December 22, LastPass updated its notice about an August 2022 cyberattack that was disclosed in November. At that time, LastPass wrote that “an unauthorized party … was able to gain access to certain elements of our customers’ information. Our customers’ passwords remain safely encrypted.” The December 22 updates notes that “the threat actor was also able to copy a backup of customer vault data from the encrypted storage container” as well as other sensitive customer data.


  • Aside from leaking customer data, which should be expected to leak after it was stored in the cloud, LastPass relied solely on a user-selected passphrase to protect the password information, and failed to encrypt some additional data included in the password vault. Competitors include a machine-selected random string in addition to the user-selected passphrase to create the encryption key.
  • But aside from the technical details and shortcomings, this significant breach is the result of a business model that justifies subscription revenue by offering cloud-based services to synchronize password vaults across devices. Prior to implementing subscription-based pricing, some password managers offered local peer-to-peer synchronization not requiring the storage of password vaults outside of devices using them.
  • From a password manager perspective, based on the information we have this appears to be close to a worst case scenario. However, keep in mind it appears that the cyber threat actors have access to the encrypted password vault, not the passwords themselves. This means how long it takes for your passwords to be accessed depends on the strength of your Password Manager password (which should be VERY strong) and / or how LastPass approached the encryption of those vaults. Are Password Managers still a good idea? I feel absolutely yes. However, I would most likely use a different vendor (LastPass has had numerous problems in the past). In addition, this is where MFA is so important, as it provides that second layer of defense. Finally, Passkeys (FIDO / phishing resistant MFA) will help resolve many of these issues, making authentication not only simpler for people, but stronger.
  • Think of a scenario like this where a threat actor obtains access to your backup data along with the keys to decrypt it, by leveraging compromised information to compromise an employee with access to those keys. Review the access controls you have on information stored in the cloud, particularly concentrated collections such as backups, ensuring they are strongly encrypted, and access to that data is monitored, then review the who and how you have controlling access to those keys. For data exfiltrated from LastPass, the sensitive data elements within those containers is protected by unique AES 256-bit keys derived from your master password which LastPass doesn’t have. Even so, review stored accounts, enabling MFA wherever possible, and if you decide to switch password managers, don’t update the LastPass repository with your revised credentials.
  • The reality of attackers making off with entire vaults that also contain some unencrypted information that could still be considered sensitive or identifying is just too much. This is not LastPass’ first or second cyber breach. While LastPass has been handling their duty to report well, they have not been improving their cyber defenses sufficiently as a response to these breaches. My questions: 1) How is a data transfer of protected customer vaults not alerting? 2) How does an increase in traffic go unnoticed? 3) Finally, why is customer data kept in their vault unencrypted?
  • It is to be hoped that 2023 will see the widespread adoption of Passkeys, the safest and most convenient mechanism for user authentication. While it will reduce the risk of fraudulent reuse of credentials, social engineering attacks against users, it will not reduce the responsibility of those in the IAM business for protecting the other sensitive data that they hold about their customers. It is not clear that they are up to the task; users must consider the risk.


Updated on 2022-12-30

The CERT-India issued an advisory against phishing attacks in the wake of the data breach at LastPass. It warned against the further use of the compromised accounts for malicious activities. Read more: Govt of India issues advisory against potential phishing attacks in wake of LastPass data breach

Updated on 2022-12-29: LastPass breach

The day after our last newsletter and just ahead of the Christmas holiday, LastPass updated the blog post about its August security breach to add a bunch of bad news. The new text is full of PR misdirections, but translated, the company effectively admits it didn’t contain the August intrusion, and since then, the threat actor moved laterally across its network and managed to gain access to a cloud server where the company was storing its users’ encrypted password vaults. Yes, your LastPass password vaults are gone, and it’s apparently pretty easy to brute-force them if your master password is weak. Read more: What’s in a PR statement: LastPass breach explained

Updated on 2022-12-23

In an update, LastPass revealed that attackers stole customers’ critical information, including backups of encrypted password vaults, in a data breach that occurred in November. Read more: Notice of Recent Security Incident

Updated on 2022-12-04: LastPass hacked for the second time this year

Password manager LastPass said it was breached for a second time this year — months after its developer environment was compromised. LastPass said this time the “unauthorized party” (we can probably assume it’s a cybercriminal at this point) broke in using information they had stolen from its first breach in August. Clearly something went wrong in remediation, or exposed keys or credentials weren’t revoked, because this time the attacker was able to break into its cloud storage and obtain “certain elements of our customers’ information” from its servers, but has so far refused to say what (or even if it knows) what customer data has been stolen. LastPass’ parent company GoTo also uses that shared storage and confirmed in a blog post that it was investigating. But if you didn’t see that blog post, that was by design, since GoTo hid the breach notice from Google’s search index. Read more:

Updated on 2022-12-02

Remote access and collaboration firm GoTo confirmed suffering a data breach where the attackers gained access to its development environment, also affecting some customer information related to LastPass. Read more: GoTo says hackers breached its dev environment, cloud storage

Updated on 2022-12-01: LastPass discloses second breach this year

Password management utility LastPass says that a threat actor has breached one of its cloud storage servers using information the company believes was initially stolen during a previous security incident that took place in August 2022. LastPass says the intruder gained access to “certain elements of our customers’ information,” but that account master passwords remain safely encrypted. The company says it is working with Mandiant and law enforcement to investigate the incident. The incident also impacted the infrastructure of GoTo, a sister company part of the LogMeIn group. Read more:

Updated on 21 September 2022: LastPass Breach Update

In a blog post, LastPass CEO Karim Toubba writes that the intruders were active in LastPass systems for four days in August. The intruder had access to the Development environment via a compromised developer endpoint and stole source code and proprietary technical information.


  • Kudos to LastPass for their transparency around this breach. Many of the headlines surrounding the initial breach talked about customers’ password vault being at risk, which is not the case. While it is not comfortable for LastPass to have their development environment exposed, this case is valuable lesson in ensuring you have the facts in place before deciding on how to respond to a news story.
  • Kudos to LastPass for transparency. To include discussion of how they are preventing recurrence. While they have determined no malicious code was introduced into the development environment, the harder part will be determining what, of their code was exfiltrated and how to ensure that code cannot be leveraged to circumvent the security of their products. As such, make sure that you’re watching for and deploying any LastPass updates proactively.


Overview: LastPass hack update

In another update to its data breach disclosure blog post, password management app LastPass said it completed its investigation into the incident and determined the hacker only had access to its systems for a period of four days in August. The company disclosed the breach on August 25, when it found that one of its developers’ accounts had been compromised via social engineering. Read more: LastPass > Notice of Recent Security Incident

A few weeks ago LastPass disclosed a network intrusion. Now with more details, the password manager company said the attacker “gained access to the development environment using a developer’s compromised endpoint.” It’s not clear how the attacker broke in to the developer’s device — an endpoint could be anything from antivirus to a home router — but the attacker “utilized their persistent access to impersonate the developer once the developer had successfully authenticated using multi-factor authentication.” Since the company doesn’t store master passwords, they’re safe. Not bad as breach notifications go.

    Ads Blocker Image Powered by Code Help Pro

    It looks like you are using an adblocker.

    Ads keep our content free. Please consider supporting us by allowing ads on