LastPass discloses August 2022 security breach

Martin Brinkmann
Aug 26, 2022
Security
|
16

LastPass, maker of the popular password management solution, disclosed a security breach on the company blog.

lastpass august 2022 security incident

According to the published information, LastPass noticed "unusual activity" about two weeks ago in the development environment. An investigation confirmed that "an unauthorized party" gained access to parts of the development environment of the company; this happened through a developer account that had been compromised.

The threat actor managed to obtain "portions of source code and some proprietary LastPass technical information". Products and services were not affected, and user data was not in danger at any point, according to the announcement.

LastPass hired a "leading cybersecurity and forensics firm" to investigate the breach. Containment and mitigation measures were deployed immediately and the company states that it has contained the breach and implemented additional security measures. It has not seen evidence of further unauthorized activity in the development environment or elsewhere.

LastPass notes in an FAQ that user data has not been compromised. The company's zero knowledge security model ensures that master passwords are secure, according to the company. LastPass recommends that users follow best practices, which includes using the company's LastPass Authenticator application. The app adds a second layer of authentication to the verification process.

The August 2022 security breach is not the first such incident that LastPass disclosed. In 2015. LastPass was hacked. At that time, attackers managed to steal user data, including email addresses, password reminders, authentication hashes and other data was obtained.

In 2021, LastPass announced that it will become an independent company. Changes were announced to LastPass Free, the free plan of the password management service, that made some users migrate to other password management solutions, including Bitwarden and KeePass.

LastPass fails to disclose additional details on the breach. Can the downloaded data be used to devise further attacks against the company or its users?

Users of the service, and any other online password management solution, should follow best practices to secure their accounts. One of the best options includes implementing two-factor authentication. Depending on the service, other options may be available, including separating password databases.

Closing Words

It appears that the August 2022 security breach that LastPass disclosed had a limited scope. User data and the production environment were not breached according to the disclosure.

Now You: do you use a password manager? (via Born)

Summary
LastPass discloses August 2022 security breach
Article Name
LastPass discloses August 2022 security breach
Description
LastPass, maker of the popular password management solution, disclosed a security breach that happened in August 2022 on the company site.
Author
Publisher
Ghacks Technology News
Logo
Advertisement

Previous Post: «
Next Post: «

Comments

  1. Bruce Tech Guy said on September 17, 2022 at 9:29 am
    Reply

    I use KeePass on Windows and KeePassXC on the Mac, and KeePassium on my mobile iPhone.
    It works well for me because:
    1) I wish to store more than just web ID credentials,
    2) I don’t wish to be only able to access my passwords data when connected to the internet,
    3) I feel better about having the KeePass KDBX encrypted vault db file in my possession and control. Plus I’m able to keep it on a flash drive (among other more secured locations) so that the data is with me if I need access to it without my typical setup.
    Of course, it is a bit ‘geekier’ than some of the other web-based password solutions.
    I’ve had good experience and feedback regarding Dashlane and BitWarden, among others.

  2. CalixtoWVR1 said on August 28, 2022 at 12:20 am
    Reply

    I dropped Lastpass a few months ago and adopted KeePass because of those breaching episodes and of course probably also the sharing of data with other tech companies as mentioned above. I really don’t regret my move and will not look back.

    “Gargoyle is evil!. Where did I hear that phrase before?

  3. TREE said on August 27, 2022 at 6:39 pm
    Reply

    I dropped lastpass after PaleMoon changed to no longer use older Firefox add-ons. I went to Brave browser. That browser showed me that lastpass sends all this stuff to google, which tracks us all. That’s when I stopped using lastpass, because GURGLE is so EVIL.

  4. sdasd said on August 27, 2022 at 2:20 pm
    Reply

    Keepass and only Keepass!

  5. jp said on August 27, 2022 at 6:55 am
    Reply

    Been with LastPass for ages, but said bye once they decided to stop free service. Migrate to Bitwarden, surely no regrets. Cloud or local – neither is perfect, it all depends on the user’s needs

  6. froggyranita said on August 26, 2022 at 4:04 pm
    Reply

    Hello, i switched from Lastpass to Bitwarden when Lastpass stopped allowing, in the free version; its use on several devices.
    I must admit while Bitwarden is OK, that i do prefer Lastpass..

  7. Anonymous said on August 26, 2022 at 2:09 pm
    Reply

    Due to this, I was never tempted to test LastPass or any of these other online password storage services. That’s what I anticipated would occur eventually. Additionally, despite the fact that you are paying a lot for their services to store your credentials, they are not maintaining the security of those services. This has happened previously, too. Instead of syncing the database with a cloud service, I’d prefer to retain my passwords in KeePass locally.

  8. ShintoPlasm said on August 26, 2022 at 1:31 pm
    Reply

    Bitwarden here, mainly because I need to share some of my vault’s info with other family members.

  9. Anonymous said on August 26, 2022 at 1:11 pm
    Reply

    I’ve been using KeePass for about a decade. I just sit back and watch the online password managers have security breaches, and they’ve all fallen, one by one over the years.

    I just sync my database file by hand – I don’t store it in the cloud.

    Easy-peasy, never have to worry about this stuff.

  10. ferb said on August 26, 2022 at 9:42 am
    Reply

    I used to be a LastPass fanboy. At one time it was best-in-class. But then they began cutting features from, and reducing support for, their free offering. And the product needed support; I had to contact them several times for various issues. And this isn’t their first security breach.

    So for the last couple of years I have been recommending (free, open source) Bitwarden for clients, particularly less tech-savvy ones, who want a cloud-based PW manager, and (free, open-source) KeePass for those who want a self-hosted PW manager. Haven’t regretted the switch.

  11. Yash said on August 26, 2022 at 8:48 am
    Reply

    Used LastPass before, never liked the service. Waste of time and that’s before it locked me out of my account coz master password is incorrect although I never changed it. Probably that bug happened with me only but it directed me to switch to Bitwarden. Never looked back since.

  12. Anonymous said on August 26, 2022 at 8:01 am
    Reply

    I gave up LastPass in favor of another ages ago and have not regretted the change. Its hard this reinforces any good feelings. Any pwd manager may be a target.

    Why not a local database type, piece of paper spreadsheet etc? One fire or flood and its gone. We take our chances no matter what we do. No option is is risk free.

  13. Ahh said on August 26, 2022 at 7:50 am
    Reply

    Recommend this local password manager for chrome too?! I also keep the password manager local.

  14. ard said on August 26, 2022 at 6:53 am
    Reply

    Yep, I do use password manager,as my memory does not help me with all the different strong pw’s that I use. However, I do not rely on a cloud, as I do not trust cloud services.
    I use a local pw manager with the encrypted file sitting on my computer, backed-up in double layer as well.

    1. Hdhu said on August 26, 2022 at 8:27 am
      Reply

      Recommend this local password manager for chrome too?! I also keep the password manager local.

Leave a Reply

Check the box to consent to your data being stored in line with the guidelines set out in our privacy policy

We love comments and welcome thoughtful and civilized discussion. Rudeness and personal attacks will not be tolerated. Please stay on-topic.
Please note that your comment may not appear immediately after you post it.