LastPass Breach: What You Need to Know

LastPass breach - what happened, what is the impact, and what you should do next.

tl;dr LastPass, one of the popular password managers, got breached in August 2022, downplayed the severity of the incident, lulled users into a false sense of security, and is still not doing right by their users. If you're still a LastPass user, switch to another solution, and reset all your stored passwords now.

So, What Happened?

On 25 August 2022, LastPass published a notice stating that an unauthorised party had gained access to a part of their development environment, and stolen source code and other proprietary information. But, the users' master passwords had not been compromised, encrypted vault data had not been accessed and, consequently, there was no action required of users.

On 15 September 2022, LastPass released an update stating that their investigation had completed, and reaffirmed that user data had not been accessed. They also stated that their development environment was physically separate from the production environment, did not contain user or encrypted vault data, and affirmed that there was no way to decrypt vault data without access to the users' master passwords.

LastPass security incident
LastPass security incident

On 30 November 2022, LastPass released another update alerting users that certain customer data had been accessed, but offered no further visibility or guidance. The final update (at the time of writing) was published on 22 December 2022, just before the Christmas holidays, where LastPass casually admitted that some credentials and keys were stolen, and used to access and decrypt a cloud storage environment containing user information and encrypted vault data.

Update: On 27 February 2023, LastPass disclosed that the threat actor leveraged information stolen earlier, information from a third-party data breach, and a vulnerability in a third-party media software package, to implant keylogger malware on the personal computer of a LastPass DevOps engineer to access the encrypted corporate vault. The threat actor then exported the corporate vault entries and content of critical internal folders which contained encrypted secure notes with "access and decryption keys needed to access the production backups, other storage resources, and related critical database backups"! Just wow.

Does This Impact Me?

Yes! Among other items, the following was stolen from the cloud storage volumes:

  • Customer account information and metadata: company names, end user names, billing addresses, email addresses, telephone numbers, IP addresses
  • Unencrypted vault data: website URLs
  • Encrypted vault data: website usernames and passwords, secure notes and form-filled data

The encrypted data was secured with 256-bit AES encryption keys derived from the users' master passwords (see this comment for specifics). LastPass claims that they have required strong master passwords since 2018, but they haven't actually enforced that for older users. So while not everyone will be equally affected, users with weak or previously compromised master passwords, and high-value targets will be surely impacted. Stored your crypto seed phrase in LastPass? Better hope your master password was strong enough.

Changing your master password now will not alleviate the problem. Neither will the fact that you had two-factor authentication in place, including a security key. And with access to your email address, IP address and website URLs, attackers will have a much easier chance to crack your application passwords with phishing and credential stuffing attacks.

What Should I Do Now?

If you haven't done so already, migrate all your passwords off LastPass to another solution like 1Password, Bitwarden or KeePassXC (I've covered them at length in an earlier post). Despite multiple security incidents and outcries from security researchers over the years, LastPass has just not demonstrated the seriousness required of a company that manages your damn passwords.

Here's what I would do in a situation like this (i.e LastPass user):

  1. Create an account with 1Password or Bitwarden. Configure a suitably long and complex master password, memorise and store it in a secure, offline location. As a bonus, 1Password also generates a unique secret key for each account.
  2. Configure two-factor authentication with a security key like YubiKey (USB-A/NFC, USB-C/NFC or USB-C/Lightning).
  3. Migrate your application passwords from LastPass one-by-one (highest value websites first!). Reset each password as you migrate, store it only in the new solution, and delete it from LastPass. If you have a lot of passwords, this will also help with tracking.
  4. Ensure the passwords are removed from LastPass deleted items, remove all other sensitive data, and delete the account.
  5. Finally, use KeePassXC (for Mac) in strictly offline mode for critical passwords (email/DNS, financial, healthcare). Strong security always has tradeoffs, and I'd happily trade convenience for peace of mind.

Additional Reading

Subscribe to alphasec

Don’t miss out on the latest issues. Sign up now to get access to the library of members-only issues.