When it comes to password managers, LastPass has been one of the most prominent players in the market. Since 2008, the company has focused on providing secure and convenient solutions to consumers and businesses. Or so it seemed.

LastPass has been in the news recently for all the wrong reasons, with multiple reports of data breaches resulting from failed security measures. To make matters worse, many have viewed LastPass’s response to these incidents as less than adequate. The company seemed to downplay the severity of the incidents and failed to provide adequate transparency of the issues within a reasonable amount of time.

The recent events have led many to wonder if these are the last days for LastPass. Or is this simply a roadblock in the company’s long history of reliable security? You be the judge.

LastPass’s recent history of security failures

For many years, the industry recognized LastPass as a reliable and secure password-management service. In fact, LastPass grew its subscriber list to more than 33 million users and over 100,000 businesses globally. Touting its Zero-Knowledge architecture, 256-bit encryption and attractive user interface, LastPass was seen as the go-to option for secure password management. Unfortunately, 2022 proved to be a tumultuous year for the self-proclaimed “pioneer in cloud security technology”. So far, 2023 isn’t providing much comfort either.

On August 25, 2022, the CEO of LastPass informed users that the organization detected “unusual activity” in its development environment. LastPass later confirmed the activity as a security breach. According to LastPass, they had no evidence that the intrusion had compromised customer data. The company still assured its users that they “implemented additional enhanced security measures” to better protect their environment moving forward.

The security issues continue

Then in November of 2022, LastPass stated that its third-party cloud storage service, which it shared with its partner GoTo, was also breached using the same information it obtained in the August attack. LastPass notified authorities and insisted that its customers’ data was safe due to its Zero-Knowledge architecture.

Fast forward one month later. In December of 2022, LastPass updated their findings from the August data breach and advised all of their users that hackers did, in fact, obtain an extensive amount of secure details from all of their user accounts, including usernames, email addresses, IP information and other sensitive data. Of particular concern was the fact that customer vault data was among the stolen information. However, according to LastPass, the heavily encrypted data would remain very difficult for the attackers to decrypt.

On March 1, 2023, the penny dropped when LastPass notified users of its official findings that the incident surrounding its recent breaches was due to a compromised software engineer’s corporate laptop. The threat actor targeted a senior DevOps engineer, exploiting third-party software, and gained access to “highly secure” API and third-party integration secrets, system configuration data and encrypted and unencrypted user data.

What risks are LastPass users now facing?

In short, if you are or were one of LastPass’s subscribers, hackers can access all of your LastPass vault data. Let that sink in for a minute.

Before you run to your computer and start dismantling it in fear, it’s important to recognize the significance of LastPass’ 256-bit encryption protocol. While hackers may have access to your data, it remains extremely difficult for them to actually use that information without the proper decryption key.

However, this does not discount the fact that users are now facing a heightened risk of identity theft and fraud. The most troubling of LastPass’s recent statements suggest that hackers gained access to the company’s encryption protocols and proprietary software, which could lead to the potential for attackers to decrypt customer vault data down the road using sophisticated tools.

Additionally, LastPass’ vault security is only as strong as the chosen master password. It’s clear that many users will need to take action sooner rather than later to close the security gap.

Is LastPass still safe to use?

Following the aftermath of the recent LastPass data breaches, it’s no secret that the company is doing serious damage control: not only to its security systems and process but also to its brand reputation.

However, one of the main issues that LastPass has to address to the public is its response time. LastPass was slow to not only investigate the threats but also to subsequently inform its users of the various breaches. This delay showcased a lack of transparency from LastPass, indicating that the company did not properly manage security processes or take appropriate measures to protect customer data.

Security experts are starting to agree that LastPass has let its guard down when it comes to protecting user data, potentially by focusing too much on attracting new market share and not enough on proper security protocols. The general message is that LastPass may still be utilizing strong encryption protocols, but there are still too many unanswered questions when it comes to how they handle persistent threats.

As Jeremi Gosney, esteemed password cracker and Senior Principal Engineer of the Yahoo security team, recently explained in an extensive series of posts, “I used to support LastPass. I recommended it for years and defended it publicly in the media… But things change.”

In addition, Gosney released a comprehensive article on Infosec Exchange urging people to switch to an alternate password manager for greater security.

“LastPass’s claim of ‘zero knowledge’ is a bald-faced lie,” Gosney says, alleging that the company has “about as much knowledge as a password manager can possibly get away with.”

What should your next step be?

When it comes to password management, there are always multiple arguments to bring to the table.

On the one hand, LastPass offers a great user experience and powerful security features. While the most recent incidents paint them in an incriminating light, the security measures they use aren’t significantly different from those of other password managers.

On the other hand, everyone needs to ask themselves whether their data is “really” secure when placed in third-party hands. For many, this situation only heightens the need for more organizations to move to passwordless environments that eliminate the need for users to store and change their passwords regularly.

But for those current users of LastPass who are still unsure about whether or not to move their password security to another provider, simplify your decision by considering the answer to this question:

If you were a bank owner who just experienced a robbery only to find out that your bank security team was sleeping on the job, would you still trust them to get the job done right? Or would you find someone else more qualified?

More from Identity & Access

“Authorized” to break in: Adversaries use valid credentials to compromise cloud environments

4 min read - Overprivileged plaintext credentials left on display in 33% of X-Force adversary simulations Adversaries are constantly seeking to improve their productivity margins, but new data from IBM X-Force suggests they aren’t exclusively leaning on sophistication to do so. Simple yet reliable tactics that offer ease of use and often direct access to privileged environments are still heavily relied upon. Today X-Force released the 2023 Cloud Threat Landscape Report, detailing common trends and top threats observed against cloud environments over the past…

Artificial intelligence threats in identity management

4 min read - The 2023 Identity Security Threat Landscape Report from CyberArk identified some valuable insights. 2,300 security professionals surveyed responded with some sobering figures: 68% are concerned about insider threats from employee layoffs and churn 99% expect some type of identity compromise driven by financial cutbacks, geopolitical factors, cloud applications and hybrid work environments 74% are concerned about confidential data loss through employees, ex-employees and third-party vendors. Additionally, many feel digital identity proliferation is on the rise and the attack surface is…

X-Force certified containment: Responding to AD CS attacks

6 min read - This post was made possible through the contributions of Joseph Spero and Thanassis Diogos. In June 2023, IBM Security X-Force responded to an incident where a client had received alerts from their security tooling regarding potential malicious activity originating from a system within their network targeting a domain controller. X-Force analysis revealed that an attacker gained access to the client network through a VPN connection using a third-party IT management account. The IT management account had multi-factor authentication (MFA) disabled…

CISA, NSA issue new IAM best practice guidelines

4 min read - The Cybersecurity and Infrastructure Security Agency (CISA) and the National Security Agency (NSA) recently released a new 31-page document outlining best practices for identity and access management (IAM) administrators. As the industry increasingly moves towards cloud and hybrid computing environments, managing the complexities of digital identities can be challenging. Nonetheless, the importance of IAM cannot be overstated in today's world, where data security is more critical than ever. Meanwhile, IAM itself can be a source of vulnerability if not implemented…