When it comes to password managers, LastPass has been one of the most prominent players in the market. Since 2008, the company has focused on providing secure and convenient solutions to consumers and businesses. Or so it seemed.

LastPass has been in the news recently for all the wrong reasons, with multiple reports of data breaches resulting from failed security measures. To make matters worse, many have viewed LastPass’s response to these incidents as less than adequate. The company seemed to downplay the severity of the incidents and failed to provide adequate transparency of the issues within a reasonable amount of time.

The recent events have led many to wonder if these are the last days for LastPass. Or is this simply a roadblock in the company’s long history of reliable security? You be the judge.

LastPass’s recent history of security failures

For many years, the industry recognized LastPass as a reliable and secure password-management service. In fact, LastPass grew its subscriber list to more than 33 million users and over 100,000 businesses globally. Touting its Zero-Knowledge architecture, 256-bit encryption and attractive user interface, LastPass was seen as the go-to option for secure password management. Unfortunately, 2022 proved to be a tumultuous year for the self-proclaimed “pioneer in cloud security technology”. So far, 2023 isn’t providing much comfort either.

On August 25, 2022, the CEO of LastPass informed users that the organization detected “unusual activity” in its development environment. LastPass later confirmed the activity as a security breach. According to LastPass, they had no evidence that the intrusion had compromised customer data. The company still assured its users that they “implemented additional enhanced security measures” to better protect their environment moving forward.

The security issues continue

Then in November of 2022, LastPass stated that its third-party cloud storage service, which it shared with its partner GoTo, was also breached using the same information it obtained in the August attack. LastPass notified authorities and insisted that its customers’ data was safe due to its Zero-Knowledge architecture.

Fast forward one month later. In December of 2022, LastPass updated their findings from the August data breach and advised all of their users that hackers did, in fact, obtain an extensive amount of secure details from all of their user accounts, including usernames, email addresses, IP information and other sensitive data. Of particular concern was the fact that customer vault data was among the stolen information. However, according to LastPass, the heavily encrypted data would remain very difficult for the attackers to decrypt.

On March 1, 2023, the penny dropped when LastPass notified users of its official findings that the incident surrounding its recent breaches was due to a compromised software engineer’s corporate laptop. The threat actor targeted a senior DevOps engineer, exploiting third-party software, and gained access to “highly secure” API and third-party integration secrets, system configuration data and encrypted and unencrypted user data.

What risks are LastPass users now facing?

In short, if you are or were one of LastPass’s subscribers, hackers can access all of your LastPass vault data. Let that sink in for a minute.

Before you run to your computer and start dismantling it in fear, it’s important to recognize the significance of LastPass’ 256-bit encryption protocol. While hackers may have access to your data, it remains extremely difficult for them to actually use that information without the proper decryption key.

However, this does not discount the fact that users are now facing a heightened risk of identity theft and fraud. The most troubling of LastPass’s recent statements suggest that hackers gained access to the company’s encryption protocols and proprietary software, which could lead to the potential for attackers to decrypt customer vault data down the road using sophisticated tools.

Additionally, LastPass’ vault security is only as strong as the chosen master password. It’s clear that many users will need to take action sooner rather than later to close the security gap.

Is LastPass still safe to use?

Following the aftermath of the recent LastPass data breaches, it’s no secret that the company is doing serious damage control: not only to its security systems and process but also to its brand reputation.

However, one of the main issues that LastPass has to address to the public is its response time. LastPass was slow to not only investigate the threats but also to subsequently inform its users of the various breaches. This delay showcased a lack of transparency from LastPass, indicating that the company did not properly manage security processes or take appropriate measures to protect customer data.

Security experts are starting to agree that LastPass has let its guard down when it comes to protecting user data, potentially by focusing too much on attracting new market share and not enough on proper security protocols. The general message is that LastPass may still be utilizing strong encryption protocols, but there are still too many unanswered questions when it comes to how they handle persistent threats.

As Jeremi Gosney, esteemed password cracker and Senior Principal Engineer of the Yahoo security team, recently explained in an extensive series of posts, “I used to support LastPass. I recommended it for years and defended it publicly in the media… But things change.”

In addition, Gosney released a comprehensive article on Infosec Exchange urging people to switch to an alternate password manager for greater security.

“LastPass’s claim of ‘zero knowledge’ is a bald-faced lie,” Gosney says, alleging that the company has “about as much knowledge as a password manager can possibly get away with.”

What should your next step be?

When it comes to password management, there are always multiple arguments to bring to the table.

On the one hand, LastPass offers a great user experience and powerful security features. While the most recent incidents paint them in an incriminating light, the security measures they use aren’t significantly different from those of other password managers.

On the other hand, everyone needs to ask themselves whether their data is “really” secure when placed in third-party hands. For many, this situation only heightens the need for more organizations to move to passwordless environments that eliminate the need for users to store and change their passwords regularly.

But for those current users of LastPass who are still unsure about whether or not to move their password security to another provider, simplify your decision by considering the answer to this question:

If you were a bank owner who just experienced a robbery only to find out that your bank security team was sleeping on the job, would you still trust them to get the job done right? Or would you find someone else more qualified?

More from Identity & Access

Another category? Why we need ITDR

5 min read - Technologists are understandably suffering from category fatigue. This fatigue can be more pronounced within security than in any other sub-sector of IT. Do the use cases and risks of today warrant identity threat detection and response (ITDR)? To address this question, we work backwards from the vulnerabilities, threats, misconfigurations and attacks that IDTR specializes in providing visibility into. As identity threat detection and response (ITDR) technology evolves, one of the most common queries we get is: “Why do we need…

Access control is going mobile — Is this the way forward?

2 min read - Last year, the highest volume of cyberattacks (30%) started in the same way: a cyber criminal using valid credentials to gain access. Even more concerning, the X-Force Threat Intelligence Index 2024 found that this method of attack increased by 71% from 2022. Researchers also discovered a 266% increase in infostealers to obtain credentials to use in an attack. Family members of privileged users are also sometimes victims.“These shifts suggest that threat actors have revalued credentials as a reliable and preferred…

Passwords, passkeys and familiarity bias

5 min read - As passkey (passwordless authentication) adoption proceeds, misconceptions abound. There appears to be a widespread impression that passkeys may be more convenient and less secure than passwords. The reality is that they are both more secure and more convenient — possibly a first in cybersecurity.Most of us could be forgiven for not realizing passwordless authentication is more secure than passwords. Thinking back to the first couple of use cases I was exposed to — a phone operating system (OS) and a…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today