Blog
← Back to Blog
August 25, 2022 cybersecurity

LastPass Was Breached. Should You Panic? (And What to Use Instead)

LastPass breach and password manager security concerns

LastPass, the password manager we've recommended multiple times on this blog, disclosed that an attacker accessed their development environment and stole source code and proprietary technical information. In a subsequent disclosure, they revealed that encrypted password vaults were also accessed.

This is deeply concerning. Let's break down what happened, what the risk is, and what you should do.

What Happened

  1. August 2022: LastPass disclosed that an attacker compromised a developer's account and accessed their development environment for four days
  2. December 2022: LastPass revealed the attacker used information from the August breach to access cloud storage containing customer vault backups
  3. The stolen data includes: encrypted password vaults, website URLs (unencrypted), and customer metadata

What This Means

The Good News

Password vaults are encrypted with your master password using AES-256 encryption. If your master password is strong (long, unique, not used elsewhere), the encrypted vault data is extremely difficult to crack.

The Bad News

Website URLs stored in vaults are NOT encrypted. An attacker can see which websites you have accounts for, even without cracking the vault. For practices, this reveals which vendors, portals, and services you use.

If your master password is weak (short, common, reused), your vault could potentially be cracked through brute force over time. The attacker has the encrypted data. They have unlimited time and computing power to attempt decryption.

What You Should Do

If Your Master Password Is Strong (15+ characters, unique)

  • Your vault encryption is likely secure
  • Change your master password as a precaution
  • Enable MFA on your LastPass account if not already enabled
  • Rotate passwords for your most sensitive accounts (banking, email, admin accounts)

If Your Master Password Is Weak or Reused

  • Assume your vault may be compromised
  • Change every password stored in LastPass, starting with banking, email, and admin accounts
  • Consider migrating to a different password manager

Should You Switch Password Managers?

This is a judgment call, but our recommendation has shifted:

  • 1Password: Now our top recommendation. Excellent security architecture, including a Secret Key that adds an additional layer of encryption beyond the master password. Even if someone stole encrypted vault data, they'd need both the master password AND the Secret Key.
  • Bitwarden: Open-source, well-audited, affordable. Can be self-hosted for maximum control.

A password manager with a breach history is still safer than no password manager. But given alternatives exist that haven't had comparable incidents, switching is reasonable.

The Irony

We've spent six years telling you to use a password manager. We still believe that's correct. The alternative (weak, reused passwords) is far worse. But this incident highlights that security tools themselves must be secured. No tool is infallible. Layer your defenses.