LastPass Suffers Second Breach in Six Months, Putting 25 Million Users at Risk
Popular password management service LastPass disclosed its second major security breach within six months, calling into question whether users‘ sensitive data remains secure with the platform.
In the latest incident disclosed on December 22nd, an unauthorized third party gained access to portions of LastPass‘s development environment through compromised employee credentials. This followed an August 2022 intrusion of LastPass‘s production environment, also conducted via stolen login information over a four-day window.
While LastPass emphasizes all user data and passwords are protected by encryption, security experts have raised alarm given hackers persistently target password managers for the rich troves of logins, financial information and other vital digital assets they consolidate. Let‘s analyze LastPass‘s twin data breaches from 2022 more closely:
The August 2022 Breach: How it Happened and What Was Learned
LastPass revealed in August that threat actors stole portions of source code and proprietary technical data by compromising a cloud storage service used by its vendors.
While no customer data or encrypted password vaults were apparently taken, the breach did highlight risks from LastPass‘s reliance on third parties. It also gave hackers an initial foothold from which to mount the later, more expansive attack in December.
The December 2022 Breach: Broad Exposure of User Data
In this more damaging incident, bad actors leveraged the past stolen employee credentials to gain further admin access across LastPass systems. As reported in their December breach notice, the hackers were then able to retrieve customer vault data including:
- Encrypted user passwords
- Form auto-fill data
- Security notes
- Billing addresses
- IP addresses
- License keys
While encryption protects the actual password contents, many crucial elements were taken that could enable future password guessing, phishing or credential reuse attacks against LastPass customers.
The fact that hackers had undetected access inside LastPass‘s developer environment for four months before detection also raises concerns of potential data exfiltration or backdoors planted in its code.
Consequences for LastPass‘s 25 Million Users
For individual LastPass users, the main risks from this breach fall into two buckets:
1. Password cracking attacks – With hashed, encrypted passwords now in the attackers‘ hands, brute force attempts to crack users‘ master passwords protects the entire vault. Expert guidance is to change master passwords immediately.
2. Identity / financial fraud – Personally identifiable information like addresses and partial payment data expose users to credential stuffing attacks or identity theft. All should place fraud alerts and monitor financial statements closely in coming months.
While LastPass maintains vault data remains secured via encryption, many security practitioners have noted these back-to-back incidents evidence inadequate compartmentation between production and development environments.
Allowing any unauthorized intruder months of access across on-staff developer platforms is a major red flag for customers trusting LastPass holds the keys to their digital kingdom.
How LastPass‘s Response Compares to Best Practices
In disclosing these breaches, LastPass followed proper protocol in quickly notifying customers and relevant authorities while conducting incident investigation. However, the time taken to detect the December developer breach – four months by their own admission – is worryingly long by industry standards.
Most experts recommend breach detection and containment within hours or days at maximum before data can be exfiltrated. The fact hackers had ample time for discovery, gearing up for a second attack, does not reflect well on LastPass‘s internal security monitoring.
Looking deeper, while encryption protects past breaches from directly exposing user passwords in the clear, several apparent misconfigurations enabled the hacks themselves:
- Shared cloud storage environments between production and vendor systems
- Reuse of stolen employee credentials to enable broader access
- Cloud provider lacks anomaly detection or risk-based authentication
These gaps evidence on-premise challenges LastPass must tackle around access controls, IT segmentation, and identity management to regain customer trust after two damaging strikes.
What Should LastPass Users Do Now?
Firstly, all LastPass users should assume their identity and login details have been compromised from these breaches, albeit in encrypted form. As such, necessary steps include:
- Secure master passwords with lengthy randomized strings, enabling multifactor authentication, and change regularly
- Reset ALL website passwords that LastPass filled/stored on your behalf to new values
- Contact financial services and place fraud alerts in case partial payment data gets misused
- Cancel and replace any credit cards saved in your LastPass vault
- Consider identity protection services that monitor compromised credentials on dark web sites
- Think carefully whether LastPass remains your best choice for password manager going forward
This last step around potentially switching providers brings up a final pertinent question…
Is It Still Safe to Trust LastPass After Repeated Security Hits?
The nature of these back-to-back LastPass breaches leaves its reputation as a stalwart password guardian in a precarious state moving into 2023.
Yes, encryption and onboard security practices prevented direct exposure of customer credentials on their systems. However, the breakdowns that enabled months of unauthorized access seriously undermine confidence in LastPass‘s operational safeguards long term, especially given hackers‘ persistence in targeting password managers.
2022 represented a major trust setback for LastPass. While credit is due for responding appropriately, difficult security and architecture reviews lie ahead to win back user faith that it remains the best identity management custodian, when data protection counts most.
For customers weighing future providers, open source alternatives like KeePass enable local-only password vaults avoiding cloud attack surfaces, while Bitwarden operates on a transparent, audited code base keyed on security-first design.
Of course, every password manager and online service carries inherent risk. But for LastPass to emerge from 2022‘s humbling security incidents as a cybersecurity leader again, major controls investments and environmental hardening appear necessary to match its earlier reputation.
Ultimately cyber attacks evolve rapidly, and defensive tools always carry some limitations. But LastPass‘s 25 million individual and business users deserve assurance improved safeguards are already rapidly enacted to prevent history repeating again. Time will tell if its responses meet the gravity of that significant user trust challenge from here.
