LastPass reveals how it got hacked — and it’s not good news

Last year was a particularly bad one for password manager LastPass, as a series of hacking incidents revealed some serious weaknesses in its supposedly rock-solid security. Now, we know exactly how those attacks went down — and the facts are pretty breathtaking.

It all began in August 2022, when LastPass revealed that a threat actor had stolen the app’s source code. In a second, subsequent attack, the hacker combined this data with information found in a separate data breach, then exploited a weakness in a remote-access app used by LastPass employees. That allowed them to install a keylogger onto the computer of a senior engineer at the company.

Getty Images

Once that keylogger was in place, the hackers could scoop up the engineer’s LastPass master password as it was entered, granting them access to the employee’s vault — and all the secrets contained within.

Related

  • The best free parental control software for PC, Mac, iOS, and Android

  • This major Apple bug could let hackers steal your photos and wipe your device

  • Ranking the best (and worst) versions of macOS from the last 20 years

They used that access to export the contents of the vault. Nestled among the data were the decryption keys needed to unencrypt customer backups stored in LastPass’s cloud storage system.

That’s important because LastPass kept production backups and critical database backups in the cloud. A large amount of sensitive customer data was also stolen, although it appears the hackers were not able to decrypt it. A LastPass support page details exactly what was stolen.

Questionable transparency

Luckily for LastPass users, it seems that customers’ most sensitive data — such as (most) email addresses and passwords — were encrypted using a zero-knowledge method. That means they were encrypted with a key derived from each user’s master password and unknown to LastPass. When the hackers stole LastPass data, they were unable to get these decryption keys because they were not stored anywhere by LastPass.

That said, plenty of important data was taken by the threat actors. That included backups of LastPass’s multi-factor authentication database, API secrets, customer metadata, configuration data, and more. As well as that, it seems numerous products apart from LastPass were also breached.

On a support page, LastPass said the way the second attack was carried out — by using genuine employee login details — made it difficult to detect. In the end, the company realized something was wrong when its AWS GuardDuty Alerts system warned it that someone was trying to use its Cloud Identity and Access Management roles to perform unauthorized activity.

Stock Depot/Getty Images

LastPass has come in for plenty of criticism over its handling of the attacks in recent months, and that disapproval is unlikely to die down in light of the latest revelations. In fact, one security company went so far as to say that LastPass was not a trustworthy app and that users to switch to different password managers.

Right now, LastPass is apparently trying to hide its attack support pages from search engines by adding “<meta name=”robots” content=”noindex”>” code to the pages. That will only make it more difficult for users (and the wider world) to find out what happened and hardly seems to be done in the spirit of transparency and accountability. Nothing has been published on the company blog either.

If you’re a LastPass customer, it might be better to find an alternative app. Fortunately, there are plenty of other superb password managers out there that can reliably protect your important information.

dt-daily-logo.png?fit=430%2C140&p=1

Today’s tech news, curated and condensed for your inbox

Subscribe



Check your inbox!

Please provide a valid email address to continue.

This email address is currently on file. If you are not receiving newsletters, please check your spam folder.

Sorry, an error occurred during subscription. Please try again later.

Privacy Policy

Use a different email

Related posts

Latest posts

M4 Ultra: Everything we know about Apple’s mysterious Hidra chip

Apple’s Hidra chip -- or M4 Ultra -- will land this year. What could we see in terms of performance, price, features, and more? Here’s all you need to know.

I love Google Gemini, but I’ll take Apple Intelligence any day of the week

I've been using Google Gemini and Apple Intelligence on my phone for months. Here's which one is better.

Android 16’s first beta could be coming to your phone as early as this week

New findings reveal Google's possible Android 16 betas release schedule.

Google’s Pixel 10a gets spotted early amid an alleged Pixel 11 codename leak

A recent Google leak suggested crucial information regarding several upcoming devices.

The ASUS ROG Phone 9 ‘FE’ is rumored to have a launch on the horizon

The ROG Phone 9 "FE" was reportedly spotted gaining overseas certification, which could point toward launch.

New leak indicates Galaxy S25 Slim may not come to the US

Samsung’s long-rumored Galaxy S25 Slim handset region availability surfaced ahead of the Unpacked event.

Samsung rumored to have a year packed with foldables and S Pen changes

Rumors alleged several details about Samsung's upcoming series of foldables.

X goes after TikTok users, introduces new tab for vertical videos

X (formerly Twitter) has introduced a new tab on its explore page, giving users a verticle video tab, similar to

I’ve experienced the next era of AI, and I’m never going back

A new era of AI agents in emerging, and Google's Deep Research showed me the power of them first-hand.

This audio upgrade cable costs $799, and it is incredible

Effect Audio's Code 24 is aimed squarely at enthusiasts.