March 20, 2023 By Jonathan Reed 4 min read

In 2022, LastPass suffered a string of security breaches which sparked concern among cyber professionals and those impacted by the intrusions. Some called into question the way LastPass handled and responded to the incident. In addition, the situation ignited a wider conversation about the risks linked to utilizing password managers.

A password manager helps users generate strong passwords and safeguards them within a digital locker. A master password secures all data, which enables users to conveniently access all their passwords for other accounts. Password managers even remind you to renew your passwords periodically. For years, security experts have recommended the use of password managers.

Now, in the wake of the LastPass breach, it might be worth revisiting this advice.

LastPass security breach events

In late August of 2022, LastPass announced that hackers had gained entry to parts of the company’s development environment through a compromised developer account. This breach gave the attacker access to parts of the LastPass source code and proprietary technical information. After this first breach, the company reassured its customers that they had contained the situation. Apparently, there was no sign that the attack had compromised customer data or the encrypted password vaults.

In September 2022, LastPass announced that it underwent a thorough investigation and forensic review of the breach with the help of incident response firm Mandiant. LastPass stated they discovered no additional indications of activity from the attacker. Also, the unauthorized access was restricted to its development system, which is physically separated from its production environment.

The situation took a turn for the worse at the end of November when LastPass CEO, Karim Toubba, disclosed that an unauthorized individual had obtained access to a third-party cloud storage device, compromising certain aspects of its customer information. Apparently, there was still no sign that customer data or passwords had been compromised. But just before Christmas, LastPass informed its users that hackers had indeed gained access to both encrypted customer information, including username, password and notes, as well as unencrypted data, such as the URLs of customers’ online accounts.

How they hacked deeper into LastPass

LastPass stated that the source code and technical information originally stolen in August were used to target another employee. This allowed the intruders to obtain credentials and keys. This gave them access and the ability to decrypt storage volumes within the company’s cloud-based storage service. As a result, the intruders were able to exfiltrate customer vault data.

The breach puts LastPass customers’ login credentials at high risk. Only a user’s master password potentially protects their credentials, which LastPass does not store. But if attackers compromise the master password, they will be able to successfully decrypt login credentials for all accounts stored in the password manager.

LastPass response and recommendations

In response to the breach, according to the December statement, LastPass has:

  • Eradicated any further potential access to the company’s development environment by decommissioning the environment and rebuilding a new environment from scratch
  • Replaced and further hardened developer machines, processes and authentication mechanisms
  • Added additional logging and alerting capabilities to help detect any further unauthorized activity
  • Actively rotated all relevant credentials and certificates that may have been affected and supplemented existing endpoint security
  • Performed an exhaustive analysis of every account to detect signs of any suspicious activity within the company’s cloud storage service.

LastPass communicated to all its users that:

  • Since 2018, the company has required a twelve-character minimum for master passwords. This greatly minimizes the ability for successful brute-force password guessing.
  • To further increase master password security, LastPass utilizes a stronger-than-typical implementation of 100,100 iterations of the Password-Based Key Derivation Function (PBKDF2), a password-strengthening algorithm that makes it difficult to guess a master password.
  • Customers should never reuse their master password. If a master password is reused and that password is compromised, a threat actor could use compromised credentials that are already available on the Internet to attempt account access (this is referred to as a “credential stuffing” attack).

Other strong password practices, as per Microsoft, include:

  • Using a combination of uppercase letters, lowercase letters, numbers and symbols
  • Avoiding the use of a word that can be found in a dictionary or the name of a person, character, product or organization
  • Choosing a password significantly different from your previous passwords
  • Making it easy to remember but difficult for others to guess. Consider using a memorable phrase like “6MonkeysRLooking^”.

The ongoing password manager debate

Given the LastPass breaches, should companies abandon password managers? These days, nobody can say they are impervious to attack. Any company might get hacked at any time. However, some feel LastPass could have handled the incident in a more effective way.

Unfortunately, there is no 100% secure password management solution. For example, a device-based manager stores and manages passwords locally on the device. This would avoid the risk of a LastPass-like breach. But if your device is lost, corrupted or becomes inaccessible, you lose all your passwords as well. And the rapid rise of infostealer malware places any device-based password storage at risk.

Overall, experts still consider password managers to be good practice. They not only provide password security but also ease of use. With features like password change reminders, password generation tools and device syncing, password managers still have many advantages. And even passwordless solutions aren’t without their risks.

Cybersecurity experts generally consider cloud-based password managers to be safe and secure, as they typically use AES-256 encryption, which is very difficult to crack. It’s important to choose a password manager that operates on a zero-knowledge principle, meaning the manager should not have access to your data. Also, it’s best to avoid accessing your password manager on public networks, as your data may be vulnerable to capture.

Don’t count on passwords alone

As no password solution is bulletproof, it’s important to implement other security strategies, such as multifactor authentication and least-privilege principles. Least privilege means a user that requests access to a resource receives only the minimum necessary rights. And privilege should be in effect for the shortest duration necessary. An advanced least-privilege security environment may have prevented the LastPass intruders from moving laterally. All shields up!

More from News

CISA adds Microsoft SharePoint vulnerability to the KEV Catalog

3 min read - In late October, the United States Cybersecurity & Infrastructure Security Agency (CISA) added a new threat to its Known Exploited Vulnerability (KEV) Catalog. Cyber criminals used remote code execution vulnerability in Microsoft SharePoint to gain access to organizations’ networks. The CISA press release states that “these types of vulnerabilities are frequent attack vectors for malicious cyber actors and pose significant risks to the federal enterprise.” However, Microsoft identified and released a patch for this vulnerability in July 2024. Cybersecurity experts…

Research finds 56% increase in active ransomware groups

4 min read - Any good news is welcomed when evaluating cyber crime trends year-over-year. Over the last two years, IBM’s Threat Index Reports have provided some minor reprieve in this area by showing a gradual decline in the prevalence of ransomware attacks — now accounting for only 17% of all cybersecurity incidents compared to 21% in 2021. Unfortunately, it’s too early to know if this trendline will continue. A recent report released by Searchlight Cyber shows that there has been a 56% increase in…

Cyberattack on American Water: A warning to critical infrastructure

3 min read - American Water, the largest publicly traded United States water and wastewater utility, recently experienced a cybersecurity incident that forced the company to disconnect key systems, including its customer billing platform. As the company’s investigation continues, there are growing concerns about the vulnerabilities that persist in the water sector, which has increasingly become a target for cyberattacks. The breach is a stark reminder of the critical infrastructure risks that have long plagued the industry. While the water utility has confirmed that…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today