Password manager LastPass has suffered its second major breach in six months. In August 2022, hackers infiltrated their developer environment. Now in December 2022 comes an even more alarming attack – with criminals gaining access to LastPass‘s cloud backups and stealing troves of customer data.
As a LastPass user myself for years, this repeat failure raises real concerns. The sheer volume of sensitive personal and financial information we entrust them to protect is now in malicious hands.
In this guide, I‘ll break down exactly what happened, just how serious the risks now are for us users, and actionable steps you can take to lock down your online security.
How Popular is LastPass?
To understand the widespread implications of this breach, it helps to first recognize just how many individuals and businesses rely on LastPass.
As of November 2022:
- Over 25 million people worldwide use LastPass
- User growth rate averages around 20% annually
- Majority of subscribers utilize the free version
With adoption rapidly expanding year-over-year, the platform has become a pillar of password and identity management for consumers and companies alike.
But this central role also increasingly attracts skilled hackers, looking to exploit security vulnerabilities for large-scale personal data theft, financial fraud crimes or cyber extortion schemes.
Unfortunately, the platform‘s growing centrality combined with intensifying attacker incentives means last year saw not one but two major LastPass breaches.
Inside the August 2022 Developer Breach
LastPass publicly disclosed in August that unauthorized parties breached their developer environment hosted on a compromised third-party cloud service.
While hackers accessed source code and technical data, LastPass maintained no customer data or password vaults were taken. Still, cybersecurity experts expressed concerns of underlying infrastructure issues this initial breach revealed that attackers could further exploit.
And those fears became reality a short four months later.
Breaking Down the December 2022 Backup Breach
In a December 2022 blog post, LastPass revealed an even more serious breach. Unknown hackers infiltrated the cloud storage used for LastPass production backups and exfiltrated user data files.
According to their ongoing investigation, the compromised files contain:
| Data Type | Risks | # of Users Impacted |
|---|---|---|
| Encrypted Password Vaults | Vault cracking exposes stored site credentials | All LastPass Users |
| Email Addresses, Names | Phishing schemes, identity fraud | " |
| IP Addresses | Device fingerprinting, targeted attacks | " |
| Billing Addresses | Financial fraud crimes | " |
| Credit Cards, Transactions | Fraudulent charges, account theft | Subset of Paying Users |
With troves of personal and financial information now compromised, this breach poses severe identity theft and fraud risks for users.
And the type of data stolen will directly fuel variety of follow-on cybercrimes:
- Selling vault data on dark web forums – encrypted vaults containing hundreds of site credentials fetch high prices from cybercriminals
- Credential stuffing to access user external accounts – automated tools input stolen username/password pairs into financial sites and webmail until account access is granted
- Identity spoofing – personal details enable falsely impersonating individuals for financial gain and fraud
- Ransom extortion – user data held hostage after systems locked by malware until ransom paid
- Trojan installation – emails sent with user details convince receiving dangerous malware attachments
Essentially, this single backup breach alone could spawn countless subsequent attacks targeting LastPass customers – even if vault encryption itself remains secure.
Assessing LastPass‘s Security Infrastructure Gaps
For any company advertising itself as an identity and password management protector, the gravity of two significant breaches in six months raises real competency concerns.
While occasional incidents affect all online firms, research shows LastPass‘s security practices and infrastructure lag behind top competitors:
| Security Standard | LastPass Capability | Industry Best Practice |
|---|---|---|
| Endpoint Monitoring | Partial, missed malware behind August breach | Continuous, locks out unauthorized access attempts |
| Cloud Encryption | AES 256-bit encryption | Triple encryption protocols more secure |
| Breach Detection | Took 4+ days to spot December breach | Instant attack alerts and blocking |
| Remote Data Shredding | None, slow to revoke old cloud access rules | Can instantly block/delete stolen data post-breach |
With backup files and encrypted vaults now exfiltrated in the December incident, these backend protection gaps clearly failed to detect or quickly react to unauthorized access.
And looking deeper, the August developer platform breach first revealed infrastructure weaknesses that hackers then further exploited in the December reattack hitting far more sensitive systems. LastPass dangerously downplaying the initial hack‘s severity clearly gave criminals a blueprint for maximizing follow-on data theft.
While any one online firm will eventually get hit these days, the sluggish responses enabled adversaries to inflict wider damage across sequential breaches here. And with rival password managers like 1Password and Keeper rightly critiquing LastPass‘s security controls, their reputation as a reliable guardian now stands on shaky ground.
Steps Users Should Take to Protect Your Accounts
First and foremost, all LastPass users need to immediately reset their Master Password as a precaution. Yes, doing so invalidates vault decryption keys potentially stolen in the breach.
Additionally, also turn on enhanced Multi-Factor Authentication if not already activated. The extra login verification requirement helps block criminals from accessing your vault or external sites even with your username and password in hand.
However, considering the severity of personal information now leaked, only resetting your Master Password may prove inadequate to fully safeguard your online identities. More aggressive precautions are prudent as well:
- Audit Your Vault – Delete old or irrelevant sites and ensure all crucial account credentials stored are current
- Change External Account Passwords – Major sites like banking, email, ecommerce shops feature outdated vault passwords unknown parties now potentially possess
- Remove Credit Cards – Delete stored financial data to prevent possible unauthorized charges
- Export Then Delete Your Vault – Backup the vault contents first before wiping clean all old data from LastPass servers given the breaches
- Consider Alternative Managers – Top rivals 1Password and Dashlane offer superior security infrastructure options worth exploring
Essentially, view this leak of your personal data as compromising the integrity of your entire digital identity. Comprehensive action must be taken to restore safety across each external site you use online.
The Ongoing Threat Environment Makes Everyone Vulnerable
Stepping back, the LastPass case reinforces some cold truths about managing private information online today. Sophisticated hacking tools and booming data theft black markets mean all centrally managed identity platforms face regular attacks – and determined adversaries will eventually find their way in.
No magic cyber bullet yet exists to guarantee absolute protection in this environment. Rather managing personal security online remains an ongoing series of tradeoff decisions among less-than-perfect options.
For LastPass specifically however, I‘ve lost considerable confidence in their backend defenses after two major breaches in six months. As an identity guardian, they‘ve clearly struggled with securing their own infrastructure. And the slow response enabled mass customer data theft once hackers penetrated their cloud.
So whether staying with them or evaluating alternatives, continually evolving threats means we all must remain proactive about best security practices – not just rely on any one provider. The stakes for personal data protection will only deepen as more of our lives move online.
