Skip to main content
  1. Home
  2. Computing
  3. News

LastPass reveals how it got hacked — and it’s not good news

Add as a preferred source on Google

Last year was a particularly bad one for password manager LastPass, as a series of hacking incidents revealed some serious weaknesses in its supposedly rock-solid security. Now, we know exactly how those attacks went down — and the facts are pretty breathtaking.

It all began in August 2022, when LastPass revealed that a threat actor had stolen the app’s source code. In a second, subsequent attack, the hacker combined this data with information found in a separate data breach, then exploited a weakness in a remote-access app used by LastPass employees. That allowed them to install a keylogger onto the computer of a senior engineer at the company.

A depiction of a hacker breaking into a system via the use of code.
Getty Images

Once that keylogger was in place, the hackers could scoop up the engineer’s LastPass master password as it was entered, granting them access to the employee’s vault — and all the secrets contained within.

Recommended Videos

They used that access to export the contents of the vault. Nestled among the data were the decryption keys needed to unencrypt customer backups stored in LastPass’s cloud storage system.

That’s important because LastPass kept production backups and critical database backups in the cloud. A large amount of sensitive customer data was also stolen, although it appears the hackers were not able to decrypt it. A LastPass support page details exactly what was stolen.

Questionable transparency

Image used with permission by copyright holder

Luckily for LastPass users, it seems that customers’ most sensitive data — such as (most) email addresses and passwords — were encrypted using a zero-knowledge method. That means they were encrypted with a key derived from each user’s master password and unknown to LastPass. When the hackers stole LastPass data, they were unable to get these decryption keys because they were not stored anywhere by LastPass.

That said, plenty of important data was taken by the threat actors. That included backups of LastPass’s multi-factor authentication database, API secrets, customer metadata, configuration data, and more. As well as that, it seems numerous products apart from LastPass were also breached.

On a support page, LastPass said the way the second attack was carried out — by using genuine employee login details — made it difficult to detect. In the end, the company realized something was wrong when its AWS GuardDuty Alerts system warned it that someone was trying to use its Cloud Identity and Access Management roles to perform unauthorized activity.

A large monitor displaying a security hacking breach warning.
Stock Depot / Getty Images

LastPass has come in for plenty of criticism over its handling of the attacks in recent months, and that disapproval is unlikely to die down in light of the latest revelations. In fact, one security company went so far as to say that LastPass was not a trustworthy app and that users to switch to different password managers.

Right now, LastPass is apparently trying to hide its attack support pages from search engines by adding “<meta name=”robots” content=”noindex”>” code to the pages. That will only make it more difficult for users (and the wider world) to find out what happened and hardly seems to be done in the spirit of transparency and accountability. Nothing has been published on the company blog either.

If you’re a LastPass customer, it might be better to find an alternative app. Fortunately, there are plenty of other superb password managers out there that can reliably protect your important information.

Alex Blake
Alex Blake has been working with Digital Trends since 2019, where he spends most of his time writing about Mac computers…
OpenAI is killing ChatGPT Atlas browser. I loved it, but it was an uphill race to the top
It was a trailblazer in a few ways, before it was copied down to its skeleton.
ChatGPT Atlas browser on a MacBook.

When OpenAI launched its own web browser, there was plenty of skepticism as to why a frontier AI lab is even bothering with making a browser in the first place. And yet, the company went ahead and launched ChatGPT Atlas with a heavy dosage of AI features built in. Well, the days of browser ambitions are over, and it will be put on cold ice in September this year.

OpenAI says it is sunsetting the short-lived browser in favor of pushing the new ChatGPT work desktop app, which already has a built-in browser as well as a cloud browser for AI agents. And now that ChatGPT is making its way to other browsers, such as Chrome, as an extension, there is little need for maintaining a dedicated browser project of its own.

Read more
Windows 11 Search is getting bigger, but only by 4 pixels
The change could be in preparation for the upcoming Ask Copilot feature
Windows 11 Laptop

If you have used Windows 11 Search after the June update, you may have noticed it feels a little less annoying. Microsoft recently made the Start menu and Search more responsive, and also fixed one of Search’s stranger limits by letting it find local files using just two characters.

Now, the company appears to be making a much smaller change. According to Windows Central, Microsoft accidentally revealed that the search box in the Taskbar and Start menu is getting 4 pixels taller. Four pixels sounds like the kind of change only a UI/UX designer could love, but screenshots from the Insider Preview build suggest it is visible once you know where to look.

Read more
Claude Reflect is here. It’s your usual yearly Wrapped, but with Anthropic’s AI
It also makes you reflect on your usage and reminds you to take breaks.
Page, Text, Business Card

Anthropic just launched a usage analytics dashboard for Claude. It’s like the ‘Wrapped’ feature you see every major streaming or AI service announce at the end of a year, except it’s not called Claude Wrapped.

The feature is called Claude Reflect, as it does more than simply tell you what you’ve been using the AI for. Available in beta for free, Pro, and Max users who have enabled memory, the feature encourages mindful use of Claude or other AI tools. 

Read more