Skip to main content

LastPass reveals how it got hacked — and it’s not good news

Last year was a particularly bad one for password manager LastPass, as a series of hacking incidents revealed some serious weaknesses in its supposedly rock-solid security. Now, we know exactly how those attacks went down — and the facts are pretty breathtaking.

It all began in August 2022, when LastPass revealed that a threat actor had stolen the app’s source code. In a second, subsequent attack, the hacker combined this data with information found in a separate data breach, then exploited a weakness in a remote-access app used by LastPass employees. That allowed them to install a keylogger onto the computer of a senior engineer at the company.

Related Videos
A depiction of a hacker breaking into a system via the use of code.
Getty Images

Once that keylogger was in place, the hackers could scoop up the engineer’s LastPass master password as it was entered, granting them access to the employee’s vault — and all the secrets contained within.

They used that access to export the contents of the vault. Nestled among the data were the decryption keys needed to unencrypt customer backups stored in LastPass’s cloud storage system.

That’s important because LastPass kept production backups and critical database backups in the cloud. A large amount of sensitive customer data was also stolen, although it appears the hackers were not able to decrypt it. A LastPass support page details exactly what was stolen.

Questionable transparency

Luckily for LastPass users, it seems that customers’ most sensitive data — such as (most) email addresses and passwords — were encrypted using a zero-knowledge method. That means they were encrypted with a key derived from each user’s master password and unknown to LastPass. When the hackers stole LastPass data, they were unable to get these decryption keys because they were not stored anywhere by LastPass.

That said, plenty of important data was taken by the threat actors. That included backups of LastPass’s multi-factor authentication database, API secrets, customer metadata, configuration data, and more. As well as that, it seems numerous products apart from LastPass were also breached.

On a support page, LastPass said the way the second attack was carried out — by using genuine employee login details — made it difficult to detect. In the end, the company realized something was wrong when its AWS GuardDuty Alerts system warned it that someone was trying to use its Cloud Identity and Access Management roles to perform unauthorized activity.

A large monitor displaying a security hacking breach warning.
Stock Depot/Getty Images

LastPass has come in for plenty of criticism over its handling of the attacks in recent months, and that disapproval is unlikely to die down in light of the latest revelations. In fact, one security company went so far as to say that LastPass was not a trustworthy app and that users to switch to different password managers.

Right now, LastPass is apparently trying to hide its attack support pages from search engines by adding “<meta name=”robots” content=”noindex”>” code to the pages. That will only make it more difficult for users (and the wider world) to find out what happened and hardly seems to be done in the spirit of transparency and accountability. Nothing has been published on the company blog either.

If you’re a LastPass customer, it might be better to find an alternative app. Fortunately, there are plenty of other superb password managers out there that can reliably protect your important information.

Editors' Recommendations

Gmail client-side encryption adds security for businesses
Google services (YouTube, Gmail, Chrome, Duo, Meet, Google Podcasts) icons app on smartphone screen.

Google has made client-side encryption (CSE) available for a number of its Workspace applications after introducing the function in beta mode last December.

Detailing the feature in a blog post on Tuesday, Google announced that client-side encryption would allow professional users to send data in Gmail and Calendar apps in such a way that no one except those in the organization and the recipients can access or read the content. Google as an entity is not even able to access data sent or created through Gmail or Calendar as it would be encrypted before reaching its servers. This is yet another way Google is using AI to the benefit of customers the brand said.

Read more
Cybercrime spiked in 2022 — and this year could be worse
malwarebytes laptop

Last year saw a massive spike in cybercrime, with some types of malicious digital activity rising by as much as 87%. It doesn’t bode well -- but there were a couple of relative bright spots.

That information comes from a new report published by cybersecurity firm SonicWall. It makes for interesting reading, especially since one of the biggest rises came from an unusual source -- and one of the most feared types of malware saw a hefty drop.

Read more
A beginner’s guide to Tor: How to navigate the underground internet
A person using a laptop at a desk.

While the internet has dramatically expanded the ability to share knowledge, it has also made issues of privacy more complicated. Many people are justifiably worried about their personal information being stolen or viewed, including bank records, credit card info, and browser or login history.

If you're looking for more privacy while browsing, Tor is a good way to do that, as it is software that allows users to browse the web anonymously. It should be noted that Tor can be used to access illegal content on the dark web, and Digital Trends does not condone or encourage this behavior.
Why does Tor exist?
In this climate of data gathering and privacy concerns, the Tor browser has become the subject of discussion and notoriety. Like many underground phenomena on the internet, it is poorly understood and shrouded in the sort of technological mysticism that people often ascribe to things like hacking or Bitcoin.

Read more