Russ Harvey Consulting - Computer and Internet Services

The LastPass Security Breaches

Choosing your next steps

The LastPass logo

Breach Details | Choosing Your Next Steps
Staying with LastPass | Leaving LastPass

Uncited block quotes are from LastPass security updates.

Two LastPass breaches were announced in August and December 2022.
LastPass is no longer recommended.

Warning: Fake LastPass app on Apple Store.

The LastPass Security Breaches

TL;DR: The breach was helped by a lax security policy, an employee was accessing critical company data from their home computer.

 

So the breach affects LastPass users who had an active LastPass account between August 20 and September 16, 2022.
Almost Secure
The customer data included customers' names, billing addresses, phone numbers, email addresses, IP addresses and partial credit card numbers, and the number of rounds of encryption used, MFA seeds and device identifiers. The vault data included, for each breached user, unencrypted website URLs and site names, and encrypted usernames, passwords and form data for those sites. According the reports, the stolen info did not include a plain text copy of the user's master password.
Wikipedia

This raises the question about what to do next. But first, a harder look at the issue.

First Incident Reported August 25th

LastPass let their users know on August 25, 2022 that a security breach had occurred August 8–12, but stated that only proprietary information was taken:

A software engineer's corporate laptop was compromised, allowing the unauthorized threat actor to gain access to a cloud-based development environment and steal source code, technical information, and certain LastPass internal system secrets.

 

We declared this incident closed but later learned that information stolen in the first incident was used to identify targets and initiate the second incident.
While no customer data was accessed during the August 2022 incident, some source code and technical information were stolen from our development environment and used to target another employee, obtaining credentials and keys which were used to access and decrypt some storage volumes within the cloud-based storage service.

The hacker was able to gain access by exploiting a vulnerable piece of consumer software on the DevOp's computer.

Neither incident was caused by any LastPass product defect or unauthorized access to — or abuse of — production systems.

 

Rather, the threat actor exploited a vulnerability in third-party software, bypassed existing controls, and eventually accessed non-production development and backup storage environments.

Such software should NEVER have been on any computer accessing either LastPass development areas or customer data.

Second Incident Reported December 22nd

A second breach was reported on December 22, reporting no malicious access after October 26th:

The threat actor targeted a senior DevOps engineer by exploiting vulnerable third-party software. The threat actor leveraged the vulnerability to deliver malware, bypass existing controls, and ultimately gain unauthorized access to cloud backups. The data accessed from those backups included system configuration data, API secrets, third-party integration secrets, and encrypted and unencrypted LastPass customer data.

The loss of customer data wasn't reported for nearly two months.

Right before the holiday season, LastPass published an update on their breach. As people have speculated, this timing was likely not coincidental but rather intentional to keep the news coverage low. Security professionals weren't amused, this holiday season became a very busy time for them. LastPass likely could have prevented this if they were more concerned about keeping their users secure than about saving their face.
Almost Secure

“Your Vault is Safe”

The statement noted that a customer's password vault was secure if you'd used a good password:

The threat actor was also able to copy a backup of customer vault data from the encrypted storage container which is stored in a proprietary binary format that contains both unencrypted data, such as website URLs, as well as fully-encrypted sensitive fields such as website usernames and passwords, secure notes, and form-filled data.

 

If you use the default settings [twelve-character minimum master password and 100,100 iterations of the PBKDF2], it would take millions of years to guess your master password using generally-available password-cracking technology.

 

Your sensitive vault data, such as usernames and passwords, secure notes, attachments, and form-fill fields, remain safely encrypted based on LastPass' Zero Knowledge architecture. There are no recommended actions that you need to take at this time. [emphasis mine]

This left most customers feeling their data was safe.

LastPass Encrypts Your Password Vault

The good news is that LastPass encrypts your password vault before it uploads it to the cloud &mdmash; one of the reasons I recommended it.

However, There are Serious Concerns

However, there are some very serious concerns:

Not Enough Iterations

Unfortunately, the vaults with fewer iterations would be much easier to crack.

When more details started to come out in January and February indicating that LastPass had failed to inform or enforce users that were using 5,000 or fewer iterations in their LastPass settings (the default for new users prior to July 9, 2018) that they should upgrade to at least 600,000.

LastPass makes use of the Password Based Key Derivation Function (PBKDF2) which makes it harder for someone to guess your account password through a brute-force attack. Each round of PBKDF2 hashing converts your original input — the master password — into a unique encryption key using hashing. This type of hashing can't be reversed. The more PBKDF2 iterations you apply, the more secure the encryption key will be and the harder it will be to guess.

As a result, many, many LastPass users were still using too minimal iterations — far too few for today's multi-GPU hacking practices. Those users' vaults will be relatively easy to hack.

LastPass may have added a further 100,100 iterations after the vault is uploaded to their servers.

Not Everything was Encrypted

Even if your vault's password and iterations were decent, LastPass didn't encrypt everything.

A few days ago LastPass admitted that unknown attackers copied their “vault data.” It certainly doesn't help that LastPass failed to clarify which parts of the vaults are encrypted and which are not. LastPass support adds to the confusion by stating that password notes aren't encrypted which I'm quite certain is wrong.

 

Passwords, account and user names, as well as password notes are encrypted. Everything else: not so much. Page addresses are merely hex-encoded and various metadata fields are just plain text.
Almost Secure, December 22, 2022

What Data was Accessed?

The stolen data includes the following unencrypted data:
  • company names
  • end user names
  • billing addresses
  • telephone numbers
  • email addresses
  • IP addresses which customers used to access LastPass
  • website URLs from your password vault
In other words, cybercriminals now know that you use LastPass, they know how to contact you, and they know which websites you use.
Graham Cluley

One of the unencrypted pieces of data released was the number of PBKDF2 iterations that an end user was configured to use. This means they will know which vaults will be easiest to decrypt.

See Steve Gibson's explanation of the significance of iterations on this Security Now podcast:

Those in possession of your vault can scan this unencrypted information to see if you've included banking, credit cards and similar financial information, making those cherry-picked vaults a prime target for brute-force decryption. They also can be more effective in spear-phishing attacks.

If you're among those with both weaker security and high-value site passwords or credit card information included in your vault, you must act quickly.

Learning More

If you would like more detailed discussion about the LastPass 2022 breach and its implications, listen to these podcasts with Steve Gibson and Leo Laporte:

Return to top

LastPass or Not? Choosing Your Next Steps

If you were using LastPass at the time of these security breaches, you have a decision to make. Do you:

Considerations

Keep this in mind: You must assume your passwords were compromised.

LastPass not only failed to keep your passwords safe, but failed to warn you in a timely manner so LastPass itself may fail at some point as a result.

The question is what to do about it.

While any password manager is better than none, there are advantages to a password manager that is proven secure and reliable. LastPass failed that test.

Bitwarden is my recommended password manager solution.

You MUST Change Your Passwords

Regardless of whether you stay with LastPass or leave (my recommendation), you need to change the passwords for all your accounts, including the master password.

Choose a password that is both long and strong enough to withstand current brute force attacks (a minimum of 15 random characters, but ideally more).

You should NEVER reuse any password but especially not your password manager's master password.

What if LastPass Fails?

Something else you need to consider is what would happen if LastPass, the company itself, were to fail as a result of these incidents and the publicity surrounding them.

If that were to happen, access to your online vault would probably cease to exist.

This possibility is increasingly unlikely as time passes and as LastPass invests in better security.

Much Negative Press

There has been a lot of negative press:

Previously, LastPass had been a four-star Editors' Choice product. In late 2022, the company announced that a data breach exposed users' encrypted vault data and other unencrypted personal data. Additional details about the breach and the aftermath came to light in February 2023.

 

Because LastPass initially failed to inform its users of the breach and to adequately protect them, we removed the score and Editors' Choice designation from this review. PCMag is currently reviewing its recommendations of password managers and retesting them.

 

At this time, we recommend open-source Editors' Choice winner Bitwarden for anyone looking to switch to a new password manager.
PCMag

Security Experts Advise Moving to Bitwarden

As well, many security experts are moving away from LastPass to Bitwarden.

Steve Gibson (whose recommendation of LastPass helped form mine) has some concerns with the fact that LastPass had not warned users with weaker passwords.

His Twitter posts and Security Now! #905 (PDF) discuss his concerns. The latter includes a PowerShell script that can help you determine how strong your LastPass vault is.

Too Little, Too Late

LastPass is making the effort to fix the things that went wrong.

There is every reason to believe that LastPass were targeted for this attack, perhaps because the hackers knew about the weaknesses in LastPass's security.

Some of this was because LastPass was a legacy product developed when security needs were less intense. They failed to keep up with the technology and didn't inform their customers about the risks of not upgrading their vault master password and increasing the iterations.

While website names were encrypted, the URLs were not. This and other information can be used to focus on more valuable passwords in your vault, such as financial logins.

You'll have to assume all the passwords in your vault were compromised.

The hackers that stole all the LastPass customer vault data have no time limits on their attempts to brute force hack any of these vaults. The vaults of significant companies and individuals will probably be first followed by those vaults with banking or other financial passwords yet poor passwords protecting them.

Even if your entire LastPass vault was not immediately compromised, it could be cracked within five or ten years.

Return to top

Staying with LastPass

I strongly recommend abandoning LastPass. The failure to protect user data, especially AFTER the initial breach, is negligent.

If you're staying with LastPass, you'll need to secure it before changing ALL your passwords.

Improve Security Settings

Start by improving your security settings then monitor updates or changes recommended by LastPass. For example, as of October 18, 2025 LastPass now requires your master password to at least 12 characters.

  1. Log onto your LastPass account;
  2. Follow the instructions to change the number of iterations to at least 100,000 (320,000 recommended).
  3. Change your master password to be at least 12 characters (15–20 recommended).

Change Your Passwords

Once you've secured your LastPass account, you need to update all the passwords in your LastPass vault.

Close Dormant Accounts

Start by closing any unused accounts.

Closing these account prevent unauthorized use and protects you against future data breaches which could expose your private information in the future.

If you haven't accessed them in well over a year, assess whether that account is necessary.

  1. Log onto your LastPass account.
  2. Close any unused accounts by logging onto each legacy site then follow the procedures to close your account.
  3. Remove any passwords for deleted accounts from your LastPass vault.

Change Remaining Passwords in Your Vault

Now that you've eliminated the unnecessary accounts from your LastPass vault, change the remaining passwords, using a unique password generated by LastPass.

Start with the most vulnerable sites (banks, credit cards, etc.) then move to the less valuable sites. This assumes that you did not share passwords across multiple sites.

Passwords Need to Be Longer and Stronger

To understand why these changes are necessary, see password vulnerability to brute force attacks.

Remember, you don't have to remember these passwords.

Once you've changed the password, log out of the account then log back in using your new password. If everything works, delete the temporary copy of your old password.

LastPass Guidance

LastPass has provided guidance for both consumer and business users:

Return to top

Leaving LastPass

Realize that ANY cloud-based password manager (or service) is potentially vulnerable.

The alternative is a secure password manager like Password Safe which resides only on ONE computer.

Steve Gibson's initial support of LastPass was one of the main reasons I felt I could recommend LastPass. That was before is was purchased by GoTo (formerly LogMeIn) then re-established as an independent private equity company in December 2021.

Steve has now moved to Bitwarden (as have I and most of the security folks I trust for advice).

Bitwarden Recommended

Bitwarden is open source which allows other developers and programmers to check the validity of the encryption process and point out vulnerabilities.

Don't Change Passwords in LastPass

If you're moving away from LastPass, do not change your passwords in LastPass.

  1. Set up your new password manager.
  2. Log onto your LastPass account.
  3. Close any unused accounts by logging onto each legacy site then follow the procedures to close your account.
  4. Now delete the legacy account from your LastPass vault.
  5. Once all legacy accounts have been deleted, export your LastPass data.

Warning: this data will be in CSV format and is NOT encrypted. Hold onto it only long enough to import it into your new password manager, then delete it securely.

  1. Choose your new password manager then set it up with a new, secure, master password.
  2. Import the passwords you've exported from LastPass.
  3. Proceed to log into each account then change your password for that account.
  4. Make a note of any account that won't let you change your password so that you're aware that the account and its password is likely vulnerable.

Once you've imported your LastPass data and have made the changes to your passwords in your new password manager, verify that everything is working before securely deleting the LastPass CSV file and your LastPass account.

Return to top

Related Resources

On this site:

Found this resource useful?
Buy Me A Coffee

 

Return to top
RussHarvey.bc.ca/resources/lastpass.html
Updated: March 13, 2024