Originally Posted by jimkerr
This is terrible advice. I’ve been in the IT industry for many years. Last pass used to be a password manager I used until their security breaches.
I assume you’re referring to the "LastPass security breach." LastPass, a widely used password manager, experienced significant security incidents, with the most notable and impactful occurring in 2022. Because of this, I don’t trust him anymore. Here are the details.
The LastPass security breach unfolded in multiple stages throughout 2022, with the company disclosing critical updates over several months. It began in August 2022 when LastPass announced that an unauthorized party had accessed portions of its development environment, stealing source code and proprietary technical information. At the time, the company assured users that no customer data or encrypted password vaults were compromised, and the breach was contained within the development environment, which was separate from production systems holding sensitive user data.
However, the situation escalated in November 2022 when LastPass revealed a second related incident. Using information stolen in the August breach, the attacker gained access to a third-party cloud storage service that LastPass used to store backups of customer data. By December 22, 2022, the company confirmed that this breach was far more severe than initially suggested. The attacker had copied a backup of customer vault data, which included both unencrypted data—such as website URLs—and encrypted sensitive fields, like usernames, passwords, secure notes, and form-filled data. Additionally, basic account information such as names, email addresses, billing addresses, phone numbers, and IP addresses was stolen. The encrypted data was protected by 256-bit AES encryption and could only be decrypted with each user’s unique master password, which LastPass does not store or have access to due to its zero-knowledge architecture.
Further details emerged in March 2023, when LastPass provided a comprehensive update. The attacker had targeted a senior DevOps engineer’s home computer, exploiting a vulnerability in third-party media software (suspected to be Plex) to install keylogger malware. This allowed the attacker to capture the engineer’s master password after they authenticated with multi-factor authentication (MFA), granting access to the engineer’s corporate LastPass vault. From there, the attacker obtained decryption keys for the cloud storage backups, enabling them to access and exfiltrate the sensitive customer data. This incident highlighted a sophisticated, multi-step attack that leveraged both the initial breach and social engineering tactics.
The fallout from this breach has been significant and ongoing. While LastPass maintained that users with strong, unique master passwords adhering to its defaults (at least 12 characters and 100,100 iterations of PBKDF2 hashing) were secure—claiming it would take millions of years to crack such passwords with current technology—experts raised concerns. If users had weak or reused master passwords, especially from prior breaches available on the dark web, their vaults could be vulnerable to brute-force attacks. This led to widespread recommendations for users to change all passwords stored in LastPass and consider switching to alternative password managers like 1Password or Bitwarden, which have not reported similar breaches.
The breach’s impact extended beyond immediate data loss. In late 2024, reports surfaced linking the stolen LastPass data to cryptocurrency thefts. Blockchain investigators, such as ZachXBT, claimed that hackers using the 2022 breach data stole millions in crypto assets, with over $5 million reportedly taken in December 2024 alone and a total exceeding $12 million across multiple incidents. These attacks targeted users who had stored crypto seed phrases or keys in their LastPass vaults, exploiting the encrypted data once decrypted with compromised master passwords.
LastPass responded by enhancing security measures, including rebuilding its development environment, rotating credentials, and enforcing stricter master password requirements (e.g., a 12-character minimum for all users by January 2024). The company also spun off from its parent company, GoTo, in 2024, aiming to rebuild trust under new leadership. However, its handling of the breach—marked by delayed and piecemeal disclosures—drew criticism from users and security experts, damaging its reputation. Many questioned the company’s transparency and its ability to protect sensitive data, especially given prior incidents in 2011, 2015, and earlier in 2022.
In summary, the LastPass security breach of 2022 was a complex, multi-phase attack that compromised user data through a combination of stolen source code, cloud storage access, and a targeted keylogger attack on an employee. While encrypted data remained secure for users with strong master passwords, the breach exposed vulnerabilities in LastPass’s infrastructure and response strategy, leading to long-term consequences like crypto thefts and a loss of user trust. If you’re a LastPass user, it’s wise to ensure your master password is robust, rotate sensitive credentials, and monitor for any suspicious activity.
|