In August of 2022, LastPass announced that they had been the victim of a cyberattack. The hackers had penetrated their security and stolen some company information, including source code. But, they assured the world, no customer information had been accessed. Fast forward to November 30, and LastPass issued another statement: there had been another breach, and this time, some customer information appeared to have been accessed.
But nothing further. Until December 22, as everyone was leaving for the holidays. LastPass announced that this most recent breach (separate and distinct from the original breach, but likely by the same actors and using information stolen in the first breach) was bad. It turns out that the customer data that had been taken was, well, all of it. The hackers had stolen an entire backup of every user’s vault. Fortunately, LastPass said, the hackers did not have the decryption keys, which meant that the information in the vaults should be reasonably safe.
Except, as it turns out, even that statement of reassurance by LastPass wasn’t exactly… honest.
In this episode of the Fearless Paranoia podcast, we discuss what happened in the LastPass breach, including how the hackers appeared to gain access to LastPass’s user backups, and what kind of information they took. We also discuss what this breach means for LastPass users in general, and provide three things all LastPass users absolutely need to do immediately to keep themselves safe. Check out the episode:
For more information, resources, and a transcript of this episode, check out the original post.