Password Manager LastPass Suffers Data Breach After August Security Breach

Back in August 2022, an unknown attacker got into LastPass’s security systems and stole some proprietary code from the company’s development environment. At the time, the company assured everyone no customer data was stolen as this environment doesn’t contain any. Now, the company announced the same malicious party used this stolen data to access “certain elements” of customers’ information.

LastPass CEO Karim Toubba informed customers of the breach in a November 30 blog post, but has so far refrained from saying what was stolen. Toubba simply stated LastPass is working with security firm Mandiant to investigate the incident.

What Happened the Last Time LastPass was Hacked?

Blog post with header image on LastPass website
LastPass CEO Karim Toubba provides more information about the security incident.

In August 2022, LastPass announced an unauthorized party had gained access to a LastPass developer account for four days. During that time, the threat actor was able to steal source code and some of the company’s proprietary technical information. Apparently, the developer account didn’t have access to any customer information, encrypted vaults, or the production environment.

At the time, LastPass had also employed security company Mandiant to help investigate the incident. The implication being the company would plug any holes that allowed the attackers into their systems. It would also make sense to apply prevention strategies to keep the stolen information from being used against the company.

The latter, at least, didn’t seem to happen as threat actors have now used the stolen code to steal additional information, two months later. Apparently, LastPass detected unusual activity within a third-party cloud storage service, which it shares with its affiliate GoTo. It’s refrained from providing further information about how exactly the attacker was able to breach this service.

What LastPass User Data Did Cybercriminals Steal?

It’s unclear at this stage how much the unauthorized party has stolen, what information they were able to access, and who is impacted. LastPass has yet to notify any customers whose data may have been compromised in the theft.

LastPass Twitter post about data breach
LastPass informed its customers about the data breach on the 30th of November.

Despite the breach, LastPass’s services remain functional and the company is adamant customer passwords remain safe. This is thanks to the password manager’s Zero Knowledge technology which doesn’t store plain-text passwords on company servers. According to the company, if you use LastPass, only you have access to your unencrypted passwords.

Is LastPass Still Secure?

Unfortunately, these two incidents weren’t the only breaches LastPass has suffered. The company has had about 7 security incidents in total, with the first one as far back 2011. While some of these incidents were more serious than others, no cases have ever cropped up of someone’s passwords being compromised due to a LastPass data breach. 

Toubba maintains passwords remain safely encrypted despite the recent breach as well. Even so, the company still recommends its users follow its recommended best practices around setup and configuration. This includes setting up multi-factor authentication in case an attacker ever gains access to your passwords.

Does this mean LastPass is still secure? That’s debatable, but based on past instances, as well as the way LastPast’s password protection works, it’s unlikely your passwords will be compromised. If you use LastPass to safely store your passwords, your data is likely still safer than the data of people who don’t use a password manager at all.

If nothing else, this is an important reminder that you’re responsible for the safety of your own data at the end of the day. No single program or tool is going to do it all for you and keep you safe all the time.

A Lesson Learned

Whenever we talk about increasing online security on this blog, we often recommend password managers. That’s because a password manager is much safer than writing down your password or saving it to your browser. Even though data breaches can happen, I’d still recommend you use a password manager because it continues to be the best option.

It’s easy to think of cybersecurity tools as infallible guardians that will provide you with 100% protection. While that’s a comforting thought, the truth is no one tool can ensure you’re fully protected or anonymous. Cybercriminals use a variety of methods to target you through the devices, apps, and tools you use. That means you need to apply a variety of habits and multiple layers of security to protect yourself.

Use a reliable password manager and premium VPN, a strong antivirus, leverage multi-factor authentication, be on your guard for avoiding phishing attempts and scams, and carefully check apps before you download them. Being proactive is one of the best things you can do to secure your digital privacy.

CyberGhost VPN implements a number of protective features to prevent third parties from ever accessing your data via our systems. We use one of the strongest encryption standards currently available, 256-bit AES encryption, to secure your internet traffic. We also protect that traffic by not collecting any of your data through our RAM-only servers, backed up by our No Logs Policy. Cybercriminals can’t pilfer any of your data if there’s nothing to steal!

Leave a comment

Write a comment

Your email address will not be published. Required fields are marked*