Skip to main content
3SN3rd Stone Networks Logo
NewsDec 22, 20222 min read

LastPass Vault Data Exfiltration: Customer Password Vaults Stolen

LastPass disclosed that attackers stole encrypted password vault data during an earlier breach. Here is what users need to understand about their risk and immediate steps to protect themselves.

By 3SN Editorial
#LastPass#Password Manager#Data Breach#Encryption#Credential Security
LastPass Vault Data Exfiltration: Customer Password Vaults Stolen
Data Breach
Dec 22, 20223SN Newsroom

LastPass Vault Data Exfiltration: Customer Password Vaults Stolen

LastPass disclosed that attackers stole encrypted password vault data during an earlier breach. Here is what users need to understand about their risk and immediate steps to protect themselves.

LastPass Vault Data Exfiltration: Customer Password Vaults Stolen

TL;DR

  • LastPass disclosed that attackers exfiltrated encrypted password vault data in an incident extending from an earlier August breach.
  • While vaults are encrypted with master passwords, weak master passwords may be vulnerable to brute force cracking attempts.
  • Users should change all stored passwords, enable MFA everywhere possible, and consider migrating to alternative password managers.

The short version

LastPass disclosed that attackers stole copies of customer password vaults during a breach that extended from an earlier August incident. While the vaults remain encrypted, users with weak master passwords face real risk of their vaults being cracked through brute force attacks. This is not a theoretical risk: attackers now possess vault data that they can attempt to decrypt offline using powerful computing resources.

The impact extends beyond just the stolen vaults. Attackers also obtained metadata including website URLs, which gives them a roadmap of which accounts to target. For users, this means treating every password in their vault as potentially compromised and taking immediate action to protect their accounts.

Why this matters beyond a single product

Password managers remain essential security tools, but this incident reveals critical lessons about trust and resilience in security infrastructure. When users entrust their entire digital identity to a single service, that service becomes an incredibly high value target. The compromise of a password manager does not just expose one account: it potentially exposes every account the user has.

This breach also highlights the importance of defense in depth. No single security control is sufficient. Even when using a password manager, users still need MFA on every account, unique passwords for each service, and awareness that any security tool can fail. The goal is not to abandon password managers but to use them as one layer in a broader security strategy.

Practical next steps for teams

If your organization uses LastPass, treat this as a full credential reset event. Every password stored in LastPass should be considered potentially compromised. Prioritize changing credentials for email, financial services, and any work related accounts. Enable MFA everywhere it is supported. Consider this an opportunity to audit and reduce the number of accounts your organization maintains.

For individual users, the same advice applies. Change all passwords, enable MFA, and consider whether LastPass remains the right choice for your needs. If you continue using LastPass, change your master password to something strong and unique. If you migrate to another service, use this as an opportunity to clean up old unused accounts. If you only have time for one action today, enable MFA on your email account. That single step protects the recovery path for most of your other accounts.

3SN perspective

Security tools should reduce risk, not concentrate it. This incident reveals the tension between convenience and resilience. We believe users need security architectures that do not rely on trusting any single provider completely. That means using password managers with strong encryption and zero knowledge architecture, but also layering additional controls like MFA, regular credential rotation, and awareness that no tool is invulnerable. Security works best when it is distributed, resilient, and designed with the assumption that breaches can happen.

What happened

LastPass disclosed that attackers exfiltrated copies of customer password vaults during a breach that extended from an August 2022 incident. The attackers accessed cloud storage containing backup copies of customer vault data, including website URLs, usernames, passwords, secure notes, and form filled data. While the vaults remain encrypted with users master passwords, the theft creates risk for users with weak or guessable master passwords.

Who’s affected

All LastPass users with vault data stored in the compromised cloud storage are affected. Users with weak master passwords face the highest risk of their vaults being cracked through brute force attempts. Business customers with shared folders and emergency access contacts are also impacted by the exposure of those configurations and metadata.

What to do now

  1. Change every password stored in your LastPass vault, starting with high value accounts like email, banking, and work credentials.
  2. Enable multifactor authentication on every account that supports it, especially email accounts that could be used for password resets.
  3. Consider migrating to an alternative password manager and changing your master password to something strong and unique.

Technical analysis

Mitigations & recommendations

critical

Change all stored passwords immediately

Treat every password in your LastPass vault as potentially compromised. Change them all, prioritizing high value accounts like email, financial services, and work credentials.

critical

Enable MFA on every possible account

Multifactor authentication provides protection even if your password is compromised. Enable MFA everywhere, with special priority on email accounts that control password resets for other services.

high

Change your master password

If you continue using LastPass, change your master password to a strong, unique passphrase that has never been used elsewhere and is not based on dictionary words.

medium

Monitor for unauthorized access attempts

Watch for unusual login notifications, password reset emails you did not request, or unexpected MFA prompts. These may indicate attackers attempting to use cracked credentials.

References

LastPass Update on Security Incident
LastPass Blog2022-12-22
CISA Alert: LastPass Data Breach
CISA2022-12-28
LastPass Users: Here's What to Do
Electronic Frontier Foundation2022-12-23

Related Articles

Explore more insights and updates from our security experts

SmarterMail Auth Bypass: When Password Reset Becomes Initial Access
Vulnerability Management
Feb 10, 20261 min read

SmarterMail Auth Bypass: When Password Reset Becomes Initial Access

CISA added a SmarterMail auth bypass to the KEV catalog after active exploitation. Here is what it means, how it works at a high level, and what to do first.

3rd Stone Networks
Read more
FortiCloud SSO Zero‑Day: When Identity Becomes the Blast Radius
Identity & Access
Feb 9, 20261 min read

FortiCloud SSO Zero‑Day: When Identity Becomes the Blast Radius

CSO Online reports Fortinet temporarily disabled FortiCloud SSO after a critical zero‑day. Here’s what that means for teams relying on centralized identity, plus practical next steps.

3rd Stone Networks
Read more
3SN Launches Enterprise Partnership Program: Expanding Security Excellence Through Channel Partners
Company Update
Nov 15, 20243 min read

3SN Launches Enterprise Partnership Program: Expanding Security Excellence Through Channel Partners

3SN announces its Enterprise Partnership Program, enabling resellers, MSPs, and technology partners to deliver 3SN security solutions to their customers.

3rd Stone Networks
Read more
View all news