LastPass: Encrypted Vault Master Password Concerns and Breach Update

LastPass Breach Update. Is LastPass Still Safe?

LastPass has notified users of their platform of a breach into their cloud based-storage environment. LastPass did an exceptional job maintaining transparency for all users and providing updates as the investigation continued.  On December 22nd, LastPass posted an update that provided further insight into the breach that occurred in August 2022.  According to their research, it was confirmed that source code and technical information stolen were used to target another employee internally.

How Did The Breach Occur?

A bad actor obtained credentials and keys which facilitated access to storage volumes.  With cloud storage access keys and dual storage decryption keys obtained, the threat actor copied information from the backup, containing basic customer account information, and metadata including company names, end-user names, billing addresses, email addresses, telephone numbers, and IP addresses. Consequently, the threat actor was able to copy a customers vault data from an encrypted storage container which was stored in a “…proprietary binary format that contains both unencrypted data, such as websites URL as well as fully encrypted sensitive fields such as website usernames and passwords, secure notes, and form-filled data.” 

Due to LastPass’s encryption, all encrypted fields remained encrypted with 256-bit AES and can only be decrypted with a unique encryption key derived from each user’s unique master password. Last pass Zero-knowledge security model effectively

As a result, investigators could not find evidence that unencrypted credit card data was accessed.  This incident, emphasizes the importance of maintaining password complexity and avoiding reusing the same password for other applications or websites.  

What Went Wrong?

LastPass cloud storage works using “a proprietary binary format”. This can be described as a combination of unencrypted fields such as your billing information, names, email, phone numbers, and plaintext URLs.  On the other hand, the encrypted fields, such as passwords and credit card information contained within your vault, use AES-256B encryption which can only be decrypted with your master password. 


The default requirement for the master-password is 12-characters. According to LastPass,if you use the default settings above it would take millions of years to guess your master password using generally-available password-cracking technology.” .


However, a recent  blog post by Jeffrey Goldberg from 1Password on December 28th, 2022 claims that 12-character passwords can be cracked for approximately $100.00. “Because of how powers of 2 work, the cost of making 233 guesses is would be 12 dollars, the cost of making 234 guesses would be 24 dollars. Ten billion guesses would cost about 100USD.”.

According to LastPass’ December 22nd post, “The threat actor was also able to copy a backup of customer vault data.”. If this vault data is leaked to the dark web, and with new insight that 12-character master-passwords could be cracked for a mere $100.00, we are looking at a potential risk for LastPass vault users with a weak master-password, or who did not implement LastPass Federated Login Services. 

Should your business use Federated Login Services, the master-password is actually a randomly generated 32 characters long string, significantly decreasing risk of cracking from brute force attempts.

Is LastPass Safe?

Considering a bad actor was able to obtain credentials, keys, and copy vault data (and various metadata from customers) but was unable to crack information contained within the vault without the master-key, LastPass is *STILL* a better practice than storing credentials in Google Chrome/Edge, or re-using the same password across multiple sites.

What does this really mean? Without access to your master-key, the stolen data contained within your vault is useless to a bad actor. 

However, there are some great alternatives for password vaults which include: 

  • BitWarden
  • 1Password
  • Keeper Password Manager

What Should I Do?

  1. Rotate your master password to a 16-20 character complex password. 
  2. Do not use the same master password to your vault as you do on other websites.
  3. If you are a business, consider Federated Login Services instead of instructing users to create a master password. 
  4. Enforce Multifactor Authentication on accounts across the web, such as Amazon, Hulu, banking services, etc. 

Need help with Federated Login Services?

Secure your business accounts today by contacting our team.