Identity & Access April 11, 2023
By Josh Nadeau 4 min read

When it comes to password managers, LastPass has been one of the most prominent players in the market. Since 2008, the company has focused on providing secure and convenient solutions to consumers and businesses. Or so it seemed.

LastPass has been in the news recently for all the wrong reasons, with multiple reports of data breaches resulting from failed security measures. To make matters worse, many have viewed LastPass’s response to these incidents as less than adequate. The company seemed to downplay the severity of the incidents and failed to provide adequate transparency of the issues within a reasonable amount of time.

The recent events have led many to wonder if these are the last days for LastPass. Or is this simply a roadblock in the company’s long history of reliable security? You be the judge.

LastPass’s Recent History of Security Failures

For many years, the industry recognized LastPass as a reliable and secure password-management service. In fact, LastPass grew its subscriber list to more than 33 million users and over 100,000 businesses globally. Touting its Zero-Knowledge architecture, 256-bit encryption and attractive user interface, LastPass was seen as the go-to option for secure password management. Unfortunately, 2022 proved to be a tumultuous year for the self-proclaimed “pioneer in cloud security technology”. So far, 2023 isn’t providing much comfort either.

On August 25, 2022, the CEO of LastPass informed users that the organization detected “unusual activity” in its development environment. LastPass later confirmed the activity as a security breach. According to LastPass, they had no evidence that the intrusion had compromised customer data. The company still assured its users that they “implemented additional enhanced security measures” to better protect their environment moving forward.

The Security Issues Continue

Then in November of 2022, LastPass stated that its third-party cloud storage service, which it shared with its partner GoTo, was also breached using the same information it obtained in the August attack. LastPass notified authorities and insisted that its customers’ data was safe due to its Zero-Knowledge architecture.

Fast forward one month later. In December of 2022, LastPass updated their findings from the August data breach and advised all of their users that hackers did, in fact, obtain an extensive amount of secure details from all of their user accounts, including usernames, email addresses, IP information and other sensitive data. Of particular concern was the fact that customer vault data was among the stolen information. However, according to LastPass, the heavily encrypted data would remain very difficult for the attackers to decrypt.

On March 1, 2023, the penny dropped when LastPass notified users of its official findings that the incident surrounding its recent breaches was due to a compromised software engineer’s corporate laptop. The threat actor targeted a senior DevOps engineer, exploiting third-party software, and gained access to “highly secure” API and third-party integration secrets, system configuration data and encrypted and unencrypted user data.

What Risks are LastPass Users Now Facing?

In short, if you are or were one of LastPass’s subscribers, hackers can access all of your LastPass vault data. Let that sink in for a minute.

Before you run to your computer and start dismantling it in fear, it’s important to recognize the significance of LastPass’ 256-bit encryption protocol. While hackers may have access to your data, it remains extremely difficult for them to actually use that information without the proper decryption key.

However, this does not discount the fact that users are now facing a heightened risk of identity theft and fraud. The most troubling of LastPass’s recent statements suggest that hackers gained access to the company’s encryption protocols and proprietary software, which could lead to the potential for attackers to decrypt customer vault data down the road using sophisticated tools.

Additionally, LastPass’ vault security is only as strong as the chosen master password. It’s clear that many users will need to take action sooner rather than later to close the security gap.

Is LastPass Still Safe to Use?

Following the aftermath of the recent LastPass data breaches, it’s no secret that the company is doing serious damage control: not only to its security systems and process but also to its brand reputation.

However, one of the main issues that LastPass has to address to the public is its response time. LastPass was slow to not only investigate the threats but also to subsequently inform its users of the various breaches. This delay showcased a lack of transparency from LastPass, indicating that the company did not properly manage security processes or take appropriate measures to protect customer data.

Security experts are starting to agree that LastPass has let its guard down when it comes to protecting user data, potentially by focusing too much on attracting new market share and not enough on proper security protocols. The general message is that LastPass may still be utilizing strong encryption protocols, but there are still too many unanswered questions when it comes to how they handle persistent threats.

As Jeremi Gosney, esteemed password cracker and Senior Principal Engineer of the Yahoo security team, recently explained in an extensive series of posts, “I used to support LastPass. I recommended it for years and defended it publicly in the media… But things change.”

In addition, Gosney released a comprehensive article on Infosec Exchange urging people to switch to an alternate password manager for greater security.

“LastPass’s claim of ‘zero knowledge’ is a bald-faced lie,” Gosney says, alleging that the company has “about as much knowledge as a password manager can possibly get away with.”

What Should Your Next Step Be?

When it comes to password management, there are always multiple arguments to bring to the table.

On the one hand, LastPass offers a great user experience and powerful security features. While the most recent incidents paint them in an incriminating light, the security measures they use aren’t significantly different from those of other password managers.

On the other hand, everyone needs to ask themselves whether their data is “really” secure when placed in third-party hands. For many, this situation only heightens the need for more organizations to move to passwordless environments that eliminate the need for users to store and change their passwords regularly.

But for those current users of LastPass who are still unsure about whether or not to move their password security to another provider, simplify your decision by considering the answer to this question:

If you were a bank owner who just experienced a robbery only to find out that your bank security team was sleeping on the job, would you still trust them to get the job done right? Or would you find someone else more qualified?

 |  |  |  |  | 
Josh Nadeau
Cybersecurity Writer

More from Identity & Access
Identity & Access   May 24, 2023

CISA, NSA Issue New IAM Best Practice Guidelines

4 min read - The Cybersecurity and Infrastructure Security Agency (CISA) and the National Security Agency (NSA) recently released a new 31-page document outlining best practices for identity and access management (IAM) administrators. As the industry increasingly moves towards cloud and hybrid computing environments, managing the complexities of digital identities can be challenging. Nonetheless, the importance of IAM cannot be overstated in today's world, where data security is more critical than ever. Meanwhile, IAM itself can be a source of vulnerability if not implemented…

4 min read
Intelligence & Analytics   April 19, 2023

The Importance of Accessible and Inclusive Cybersecurity

4 min read - As the digital world continues to dominate our personal and work lives, it’s no surprise that cybersecurity has become critical for individuals and organizations. But society is racing toward “digital by default”, which can be a hardship for individuals unable to access digital services. People depend on these digital services for essential online services, including financial, housing, welfare, healthcare and educational services. Inclusive security ensures that such services are as widely accessible as possible and provides digital protections to users…

4 min read
Intelligence & Analytics   February 24, 2023

Cybersecurity in the Next-Generation Space Age, Pt. 3: Securing the New Space

8 min read - View Part 1, Introduction to New Space, and Part 2, Cybersecurity Threats in New Space, in this series. As we see in the previous article of this series discussing the cybersecurity threats in the New Space, space technology is advancing at an unprecedented rate — with new technologies being launched into orbit at an increasingly rapid pace. The need to ensure the security and safety of these technologies has never been more pressing. So, let’s discover a range of measures…

8 min read
Threat Intelligence   February 21, 2023

Backdoor Deployment and Ransomware: Top Threats Identified in X-Force Threat Intelligence Index 2023

4 min read - Deployment of backdoors was the number one action on objective taken by threat actors last year, according to the 2023 IBM Security X-Force Threat Intelligence Index — a comprehensive analysis of our research data collected throughout the year. Backdoor access is now among the hottest commodities on the dark web and can sell for thousands of dollars, compared to credit card data — which can go for as low as $10. On the dark web — a veritable eBay for…

4 min read
© 2023 IBM Contact Privacy Terms of use Accessibility Cookie Preferences
Sponsored by si-icon-eightbarfeature