Russ Harvey Consulting - Computer and Internet Services

LastPass Security Breaches

Choosing your next steps

Breach Details | Choosing Your Next Steps
Staying with LastPass | Leaving LastPass

All trademarks, company names or logos are the property of their respective owners.
Uncited block quotes are from LastPass security updates.

The LastPass logo
The group who stole encrypted data vaults from LastPass is still at large, and they can make endless attempts to guess the master passwords that will open those vaults. It wouldn't take long at all to try the hundred (or thousand) most common passwords against every single vault. If this effort cracks even one target in a hundred, the thieves are doing well.
PCMag

 

The LastPass security breach is a classic story of a once-decent password manager that was compromised by a failure to notify users of the need to employ more secure protocols combined with a lax attitude towards security protocols. LastPass moved quickly through various company transitions which are likely a significant factor and a warning to those using a product that is acquired by a new owner.

The 2022 LastPass Security Breaches

Two LastPass breaches were announced in August and December 2022.
LastPass is no longer recommended.

If you're among those with both weaker security and high-value site passwords or credit card information included in your vault, your information may have been compromised because LastPass didn't encrypt the website URLs, allowing the hackers to focus on the more valuable sites.

TL;DR: The breach was helped by a lax security policy, an employee was accessing critical company data from their home computer. So the breach affects LastPass users who had an active LastPass account between August 20 and September 16, 2022.
Almost Secure
The customer data included customers' names, billing addresses, phone numbers, email addresses, IP addresses and partial credit card numbers, and the number of rounds of encryption used, MFA seeds and device identifiers. The vault data included, for each breached user, unencrypted website URLs and site names, and encrypted usernames, passwords and form data for those sites. According the reports, the stolen info did not include a plain text copy of the user's master password.
Wikipedia
Previously, LastPass had been a four-star Editors' Choice product. In late 2022, the company announced that a data breach exposed users' encrypted vault data and other unencrypted personal data. Additional details about the breach and the aftermath came to light in February 2023.

 

Because LastPass initially failed to inform its users of the breach and to adequately protect them, we removed the score and Editors' Choice designation from this review. PCMag is currently reviewing its recommendations of password managers and retesting them.

 

At this time, we recommend open-source Editors' Choice winner Bitwarden for anyone looking to switch to a new password manager.
PCMag

First Incident Reported August 25th

LastPass let their users know on August 25, 2022 that a security breach had occurred August 8–12, but stated that only proprietary information was taken:

A software engineer's corporate laptop was compromised, allowing the unauthorized threat actor to gain access to a cloud-based development environment and steal source code, technical information, and certain LastPass internal system secrets.

 

We declared this incident closed but later learned that information stolen in the first incident was used to identify targets and initiate the second incident.
While no customer data was accessed during the August 2022 incident, some source code and technical information were stolen from our development environment and used to target another employee, obtaining credentials and keys which were used to access and decrypt some storage volumes within the cloud-based storage service.

The hacker was able to gain access by exploiting a vulnerable piece of consumer software on the DevOp's computer.

Neither incident was caused by any LastPass product defect or unauthorized access to — or abuse of — production systems.

 

Rather, the threat actor exploited a vulnerability in third-party software, bypassed existing controls, and eventually accessed non-production development and backup storage environments.

Such software should NEVER have been on any computer accessing either LastPass development areas or customer data.

Second Incident Reported December 22nd

A second breach was reported on December 22, reporting “no malicious access after October 26th.”

The threat actor targeted a senior DevOps engineer by exploiting vulnerable third-party software. The threat actor leveraged the vulnerability to deliver malware, bypass existing controls, and ultimately gain unauthorized access to cloud backups. The data accessed from those backups included system configuration data, API secrets, third-party integration secrets, and encrypted and unencrypted LastPass customer data.
Right before the holiday season, LastPass published an update on their breach.

 

As people have speculated, this timing was likely not coincidental but rather intentional to keep the news coverage low. Security professionals weren't amused, this holiday season became a very busy time for them.

 

LastPass likely could have prevented this if they were more concerned about keeping their users secure than about saving their face.
Almost Secure

The loss of customer data wasn't reported until nearly two months later. By then, the hackers would have had the ability to extract and test many of the most valuable passwords contained in customer vaults. Given the December 22nd reporting date and delays before full disclosure seem designed to protect the company's reputation. This backfired because they lost the trust of many if not most users (and, more importantly, those that had recommended the product).

“Your Vault is Safe”

Customers were told that their password vault was secure if they'd used a good password.

The threat actor was also able to copy a backup of customer vault data from the encrypted storage container which is stored in a proprietary binary format that contains both unencrypted data, such as website URLs, as well as fully-encrypted sensitive fields such as website usernames and passwords, secure notes, and form-filled data.

 

If you use the default settings [twelve-character minimum master password and 100,100 iterations of the PBKDF2], it would take millions of years to guess your master password using generally-available password-cracking technology.

 

Your sensitive vault data, such as usernames and passwords, secure notes, attachments, and form-fill fields, remain safely encrypted based on LastPass' Zero Knowledge architecture. There are no recommended actions that you need to take at this time. [emphasis mine]

This left most customers feeling their data was safe.

LastPass Encrypts Your Password Vault

The good news is that LastPass encrypts your password vault before it uploads it to the cloud. Unfortunately, many LastPass vaults were protected with much fewer than 100,100 iterations.

Other Serious Concerns

However, there are some very serious concerns including the sort of data that was not encrypted:

The stolen data also included unencrypted URLs associated with password entries, providing valuable insight into which password vaults could be targeted to steal credentials to financial services, like cryptocurrency exchanges.

 

It was later revealed that threat actors decrypted some of these weaker master passwords and used the stored credentials to breach cryptocurrency exchanges and steal over $4 million in funds

 

LastPass announced it will start encrypting URLs stored in user vaults for enhanced privacy and protection against data breaches and unauthorized access.
BleepingComputer May 22, 2024

Users Not Informed About the Important of Iterations

When more details started to come out in January and February indicating that LastPass had failed to inform or enforce users to upgrade the number of iterations to at least 600,000 in settings.

Many were using 5,000 or fewer iterations (the default for new users prior to July 9, 2018).

LastPass makes use of the Password Based Key Derivation Function (PBKDF2) which makes it harder for someone to guess your account password through a brute-force attack. Each round of PBKDF2 hashing converts your original input — the master password — into a unique encryption key using hashing.

 

This type of hashing can't be reversed. The more PBKDF2 iterations you apply, the more secure the encryption key will be and the harder it will be to guess.

As a result, many, many LastPass users were still using far too few iterations for today's multi-GPU hacking practices, making those users' vaults relatively easy to hack.

LastPass may have added a further 100,100 iterations after the vault is uploaded to their servers, but that was unclear from the documentation I read.

Too Much was Left Unencrypted

Even if your vault's password and iterations were decent, LastPass didn't encrypt everything.

It certainly doesn't help that LastPass failed to clarify which parts of the vaults are encrypted and which are not.

 

LastPass support adds to the confusion by stating that password notes aren't encrypted which I'm quite certain is wrong.

 

Passwords, account and user names, as well as password notes are encrypted. Everything else: not so much.

 

Page addresses are merely hex-encoded and various metadata fields are just plain text.
Almost Secure, December 22, 2022

What Data was Accessed?

The stolen data includes the following unencrypted data:
  • company names
  • end user names
  • billing addresses
  • telephone numbers
  • email addresses
  • IP addresses which customers used to access LastPass
  • website URLs from your password vault
In other words, cybercriminals now know that you use LastPass, they know how to contact you, and they know which websites you use.
Graham Cluley

One of the unencrypted pieces of data released was the number of PBKDF2 iterations that an end user was configured to use. This means they will know which vaults will be easiest to decrypt.

See Steve Gibson's explanation of the significance of iterations on this Security Now podcast:

Those in possession of your vault can scan this unencrypted information to see if you've included banking, credit cards and similar financial information, making those cherry-picked vaults a prime target for brute-force decryption. They also can be more effective in spear-phishing attacks.

Learning More

If you would like more detailed discussion about the LastPass 2022 breach and its implications, listen to these podcasts with Steve Gibson and Leo Laporte:

Return to top

LastPass or Not? Choosing Your Next Steps

If you were using LastPass at the time of these security breaches, you have a decision to make. Do you:

Bitwarden is my recommended password manager solution.

Considerations

LastPass not only failed to keep your passwords safe, but failed to warn you in a timely manner.

The question is what to do about it.

While any password manager is better than none, there are advantages to a password manager that is proven secure and reliable. LastPass failed that test.

You MUST Change Your Passwords

Regardless of whether you stay with LastPass or leave (my recommendation), you must assume your passwords were compromised.

You need to change the passwords for all your accounts, including the master password.

Unless you've decided to stay with LastPass (not recommended), export your LastPass data then import it into your new password manager before changing the passwords for your accounts.

Choose a password that is both long and strong enough to withstand current brute force attacks (a minimum of 17 random characters, but ideally more).

You should NEVER reuse any password but especially not your password manager's master password.

Security Experts Advise Moving to Bitwarden

Many security experts, including myself, moved from LastPass to Bitwarden.

Steve Gibson had concerns with the fact that LastPass had not warned users with weaker passwords.

His Twitter posts and Security Now! #905 (PDF) discuss these concerns. The latter includes a PowerShell script that can help you determine how strong your LastPass vault is.

Too Little, Too Late

LastPass is making the effort to fix the things that went wrong.

There remains concerns about LastPass's security:

LastPass was a legacy product developed when security needs were less intense. It also changed ownership several times which may have meant the security parameters were no longer understood.

They failed to keep up with the technology and failed to inform their customers about the risks of not upgrading their vault master password as well as increasing the number of iterations.

While website names were encrypted, the URLs were not. This and other information can be used to focus on more valuable passwords in your vault, such as financial logins.

You'll have to assume all the passwords in your vault were compromised.

The hackers that stole all the LastPass customer vault data have no time limits on their attempts to brute force hack any of these vaults. The vaults of significant companies and individuals will probably be first followed by those vaults with banking or other financial passwords yet poor passwords protecting them.

Even if your entire LastPass vault was not immediately compromised, it could be cracked within five or ten years.

Return to top

Staying with LastPass

I strongly recommend abandoning LastPass. The failure to protect user data, especially AFTER the initial breach, is negligent.

If you're staying with LastPass, you'll need to secure it before changing ALL your passwords.

Improve Security Settings

Start by improving your security settings then monitor updates or changes recommended by LastPass. For example, as of October 18, 2025 LastPass now requires your master password to at least 12 characters.

  1. Log onto your LastPass account;
  2. Follow the instructions to change the number of iterations to at least 100,000 (320,000 recommended).
  3. Change your master password to be at least 12 characters (no longer secure enough).

Change Your Passwords

Once you've secured your LastPass account, you need to update all the passwords in your LastPass vault.

Close Dormant Accounts

Start by closing any unused accounts.

Closing these account prevent unauthorized use and protects you against future data breaches which could expose your private information in the future.

If you haven't accessed them in well over a year, assess whether that account is necessary.

  1. Log onto your LastPass account.
  2. Close any unused accounts by logging onto each legacy site then follow the procedures to close your account.
  3. Remove any passwords for deleted accounts from your LastPass vault.

Change Remaining Passwords in Your Vault

Now that you've eliminated the unnecessary accounts from your LastPass vault, change the remaining passwords, using a unique password generated by LastPass.

Start with the most vulnerable sites (banks, credit cards, etc.) then move to the less valuable sites. This assumes that you did not share passwords across multiple sites.

Passwords Need to Be Longer and Stronger

To understand why these changes are necessary, see password vulnerability to brute force attacks.

Remember, you don't have to remember these passwords.

Once you've changed the password, log out of the account then log back in using your new password. If everything works, delete the temporary copy of your old password.

LastPass Guidance

LastPass has provided guidance for both consumer and business users:

Return to top

Leaving LastPass

Realize that ANY cloud-based password manager (or service) is potentially vulnerable.

The alternative is a secure password manager like Password Safe which resides only on ONE computer.

Steve Gibson's initial support of LastPass was one of the main reasons I felt I could recommend LastPass. That was before is was purchased by GoTo (formerly LogMeIn) then re-established as an independent private equity company in December 2021.

Steve has now moved to Bitwarden (as have I and most of the security folks I trust for advice).

Bitwarden Recommended

Bitwarden is open source which allows other developers and programmers to check the validity of the encryption process and point out vulnerabilities.

Don't Change Passwords in LastPass

If you're moving away from LastPass, do not change your passwords in LastPass.

  1. Set up your new password manager.
  2. Log onto your LastPass account.
  3. Close any unused accounts by logging onto each legacy site then follow the procedures to close your account.
  4. Now delete the legacy account from your LastPass vault.
  5. Once all legacy accounts have been deleted, export your LastPass data.

Warning: this data will be in CSV format and is NOT encrypted. Hold onto it only long enough to import it into your new password manager, then delete it securely.

  1. Choose your new password manager then set it up with a new, secure, master password.
  2. Import the passwords you've exported from LastPass.
  3. Proceed to log into each account then change your password for that account.
  4. Make a note of any account that won't let you change your password so that you're aware that the account and its password is likely vulnerable.
  5. I strongly recommend security each account with multifactor authentication. Authenticator apps provide additional security.

Once you've imported your LastPass data and have made the changes to your passwords in your new password manager, verify that everything is working before securely deleting the LastPass CSV file and your LastPass account.

Return to top

Related Resources

On this site:

Found this resource useful?
Buy Me A Coffee

 

Return to top
RussHarvey.bc.ca/resources/lastpass.html
Updated: June 26, 2025

Copyright © 1996– | Privacy | Navigation | RHC Design