March 20, 2023 By Jonathan Reed 4 min read

In 2022, LastPass suffered a string of security breaches which sparked concern among cyber professionals and those impacted by the intrusions. Some called into question the way LastPass handled and responded to the incident. In addition, the situation ignited a wider conversation about the risks linked to utilizing password managers.

A password manager helps users generate strong passwords and safeguards them within a digital locker. A master password secures all data, which enables users to conveniently access all their passwords for other accounts. Password managers even remind you to renew your passwords periodically. For years, security experts have recommended the use of password managers.

Now, in the wake of the LastPass breach, it might be worth revisiting this advice.

LastPass security breach events

In late August of 2022, LastPass announced that hackers had gained entry to parts of the company’s development environment through a compromised developer account. This breach gave the attacker access to parts of the LastPass source code and proprietary technical information. After this first breach, the company reassured its customers that they had contained the situation. Apparently, there was no sign that the attack had compromised customer data or the encrypted password vaults.

In September 2022, LastPass announced that it underwent a thorough investigation and forensic review of the breach with the help of incident response firm Mandiant. LastPass stated they discovered no additional indications of activity from the attacker. Also, the unauthorized access was restricted to its development system, which is physically separated from its production environment.

The situation took a turn for the worse at the end of November when LastPass CEO, Karim Toubba, disclosed that an unauthorized individual had obtained access to a third-party cloud storage device, compromising certain aspects of its customer information. Apparently, there was still no sign that customer data or passwords had been compromised. But just before Christmas, LastPass informed its users that hackers had indeed gained access to both encrypted customer information, including username, password and notes, as well as unencrypted data, such as the URLs of customers’ online accounts.

How they hacked deeper into LastPass

LastPass stated that the source code and technical information originally stolen in August were used to target another employee. This allowed the intruders to obtain credentials and keys. This gave them access and the ability to decrypt storage volumes within the company’s cloud-based storage service. As a result, the intruders were able to exfiltrate customer vault data.

The breach puts LastPass customers’ login credentials at high risk. Only a user’s master password potentially protects their credentials, which LastPass does not store. But if attackers compromise the master password, they will be able to successfully decrypt login credentials for all accounts stored in the password manager.

LastPass response and recommendations

In response to the breach, according to the December statement, LastPass has:

  • Eradicated any further potential access to the company’s development environment by decommissioning the environment and rebuilding a new environment from scratch
  • Replaced and further hardened developer machines, processes and authentication mechanisms
  • Added additional logging and alerting capabilities to help detect any further unauthorized activity
  • Actively rotated all relevant credentials and certificates that may have been affected and supplemented existing endpoint security
  • Performed an exhaustive analysis of every account to detect signs of any suspicious activity within the company’s cloud storage service.

LastPass communicated to all its users that:

  • Since 2018, the company has required a twelve-character minimum for master passwords. This greatly minimizes the ability for successful brute-force password guessing.
  • To further increase master password security, LastPass utilizes a stronger-than-typical implementation of 100,100 iterations of the Password-Based Key Derivation Function (PBKDF2), a password-strengthening algorithm that makes it difficult to guess a master password.
  • Customers should never reuse their master password. If a master password is reused and that password is compromised, a threat actor could use compromised credentials that are already available on the Internet to attempt account access (this is referred to as a “credential stuffing” attack).

Other strong password practices, as per Microsoft, include:

  • Using a combination of uppercase letters, lowercase letters, numbers and symbols
  • Avoiding the use of a word that can be found in a dictionary or the name of a person, character, product or organization
  • Choosing a password significantly different from your previous passwords
  • Making it easy to remember but difficult for others to guess. Consider using a memorable phrase like “6MonkeysRLooking^”.

The ongoing password manager debate

Given the LastPass breaches, should companies abandon password managers? These days, nobody can say they are impervious to attack. Any company might get hacked at any time. However, some feel LastPass could have handled the incident in a more effective way.

Unfortunately, there is no 100% secure password management solution. For example, a device-based manager stores and manages passwords locally on the device. This would avoid the risk of a LastPass-like breach. But if your device is lost, corrupted or becomes inaccessible, you lose all your passwords as well. And the rapid rise of infostealer malware places any device-based password storage at risk.

Overall, experts still consider password managers to be good practice. They not only provide password security but also ease of use. With features like password change reminders, password generation tools and device syncing, password managers still have many advantages. And even passwordless solutions aren’t without their risks.

Cybersecurity experts generally consider cloud-based password managers to be safe and secure, as they typically use AES-256 encryption, which is very difficult to crack. It’s important to choose a password manager that operates on a zero-knowledge principle, meaning the manager should not have access to your data. Also, it’s best to avoid accessing your password manager on public networks, as your data may be vulnerable to capture.

Don’t count on passwords alone

As no password solution is bulletproof, it’s important to implement other security strategies, such as multifactor authentication and least-privilege principles. Least privilege means a user that requests access to a resource receives only the minimum necessary rights. And privilege should be in effect for the shortest duration necessary. An advanced least-privilege security environment may have prevented the LastPass intruders from moving laterally. All shields up!

More from News

Securing critical infrastructure with the carrot and stick

4 min read - It wasn’t long ago that cybersecurity was a fringe topic of interest. Now, headline-making breaches impact large numbers of everyday citizens. Entire cities find themselves under cyberattack. In a short time, cyber has taken an important place in the national discourse. Today, governments, regulatory agencies and companies must work together to confront this growing threat. So how is the federal government bolstering security for critical infrastructure? It looks like they are using a carrot-and-stick approach. Back in March 2022, the…

650,000 cyber jobs are now vacant: How to tackle the risk

4 min read - How far is the United States behind in filing cybersecurity jobs? As per Rep. Andrew Garbarino, R-N.Y., Chairman of the HHS Cybersecurity and Infrastructure Protection Subcommittee, overseas adversaries have a workforce advantage over FBI cyber personnel of 50 to one. His statements were made during a recent subcommittee hearing titled “Growing the National Cybersecurity Talent Pipeline.” Meanwhile, recent CyberSeek data shows over 650,000 cyber jobs to fill nationwide. Given the rising rate of cyberattacks, these numbers are truly alarming. How…

Will data backups save you from ransomware? Think again

4 min read - Backups are an essential part of any solid anti-ransomware strategy. In fact, research shows that the median recovery cost for ransomware victims that used backups is half the cost incurred by those that paid the ransom. But not all data backup approaches are created equal. A separate report found that in 93% of ransomware incidents, threat actors actively target backup repositories. This results in 75% of victims losing at least some of their backups during the attack, and more than…

Should you worry about state-sponsored attacks? Maybe not.

4 min read - More than ever, state-sponsored cyber threats worry security professionals. In fact, nation-state activity alerts increased against critical infrastructure from 20% to 40% from 2021 to 2022, according to a recent Microsoft Digital Defense Report. With the advent of the hybrid war in Ukraine, nation-state actors are launching increasingly sophisticated attacks. But is this the most prominent danger facing companies today? While nation-state-based attacks cannot be ignored, it looks like insider cyber incidents are far more common. In fact, for the…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today