LastPass

icon Created by Chris Williams //

What is LastPass?

LastPass is a password manager and security provider that has suffered security breaches of its own, most notably two intrusions in 2022 during which crooks stole customer login data and encryption keys. The software provider, owned by GoTo – formerly LogMeIn, is based in Massachusetts, USA, and claims at least 33 million individuals and more than 100,000 businesses use its password and identity management services.

It also has its own-brand authenticator app as well as a dark-web monitoring service that alerts users when their email addresses show up in credentials stolen, leaked, or traded by cybercriminals.

The password management biz aims to make security easier for folks and corporations by storing each customer’s username and password combinations for hundreds of websites in customer vaults. Users thus don't have to memorize complex unique passwords for every site they use: these credentials can be retrieved from their own personal vault when needed. Each individual vault is stored in the cloud and sealed using a single master password that the user keeps a secret. When you need to fetch a password from your vault, you enter the master password, which unlocks the vault and provides the required credential. Vaults can be accessed via apps and browser extensions.

While convenient, and also improving netizens' online security, this makes LassPass an attractive target for cybercriminals, who broke into these vaults in August 2022.

LastPass sounded the alarm in August of that year, and at the time said the crooks only stole its source code and other internal company documents. “We have seen no evidence that this incident involved any access to customer data or encrypted password vaults,” CEO Karim Toubba.

This turned out to be wrong. By December, the developer admitted unknown parties accessed the encrypted contents of people's password vaults. Still, it told everyone there was no need to worry. Even though the crooks had the password data, each vault was encrypted using 256-bit AES and a key derived from each user’s master password. Without that key, the vault contents was useless.

“It would take millions of years to guess your master password using generally-available password-cracking technology,” the company claimed.

LastPass dropped another bombshell two months later. In an update about the intrusion, the password manager maker revealed that there were two attacks: one that ended August 12, 2022, and a second that spanned from August to October 2022. The second breach was the real doozy.

According to that 2023 update, the thieves used information swiped during the first break-in to compromise a LastPass DevOps engineer’s home computer, deploy keylogger malware, capture that employee’s master password, and gain access to the LastPass corporate vault. The engineer was one of only four employees with access to the super-secure storage.

After breaking into the corporate vault, the intruder got their hands on the AWS cloud access keys and decryption keys for LastPass's production backups stored in S3 buckets, which included “customer and encrypted vault data.”

LastPass was facing at least one class-action lawsuit as a result of this fiasco.