LastPass Breach 2022: When the Password Manager Gets Breached

The LastPass breach of 2022 is the most instructive data breach in the password security space precisely because it happened to the company that was supposed to be the answer to password security. LastPass stores the master passwords and encrypted password vaults of over 30 million users and 85,000 businesses. When attackers breached LastPass twice in 2022 — once in August, and again in November using data from the first breach — they obtained copies of customer password vaults that, if cracked, would give complete access to every password those customers had ever stored.

The LastPass breach is still unfolding. Cracking efforts against stolen vaults are ongoing. Users who reused their LastPass master password, chose a weak master password, or had weaker encryption parameters due to using LastPass under older settings remain at risk from their 2022 vault copy being cracked years after the breach.

What Happened

The August 2022 intrusion gave attackers source code, technical documentation, and internal technical details about LastPass's cloud architecture. LastPass disclosed this breach but assessed that no customer data had been accessed. The November 2022 intrusion used the technical intelligence from August to target LastPass's cloud backup environment through a compromised senior DevOps engineer. The engineer's home computer — running Plex Media Server on an outdated, vulnerable version — was compromised using a known Plex vulnerability. A keylogger captured the engineer's corporate credentials, including the decryption key for the corporate vault and access to the AWS S3 backup environment where customer data was stored. The attackers exfiltrated a significant volume of customer data, including encrypted vault backups, customer account metadata, and billing information. LastPass disclosed the full scope of the breach in December 2022 and January 2023. The disclosure acknowledged that the stolen vault data, while encrypted, could be subject to brute force cracking attempts — with success dependent on master password strength and the encryption parameters used at the time each vault was created.

The Attack Vector: Developer Endpoint to Cloud Backup

The LastPass breach involved two distinct but connected intrusions. The August 2022 intrusion compromised a LastPass developer's endpoint — through means not fully publicly disclosed but consistent with credential theft or malware — and used that access to steal source code and technical documentation from LastPass's development environment. LastPass initially characterized this as a contained incident with no customer data exposed.

The November 2022 intrusion used data obtained from the August breach — specifically, technical information about LastPass's cloud backup infrastructure — to target a senior DevOps engineer's home computer. The attackers compromised the DevOps engineer's personal machine, exploiting a vulnerable media software installation (Plex Media Server running an outdated version) to deploy a keylogger. The keylogger captured the engineer's master password for the LastPass corporate vault, which provided access to LastPass's cloud backup environment. The attackers exfiltrated customer data including encrypted vault backups, customer names and email addresses, billing information, and metadata about the vaults themselves.

Private Equity Implications

PE firms and portfolio companies that used LastPass Business accounts during the 2022 breach period have a specific ongoing risk: their password vaults may be among those exfiltrated, and if those vaults contain credentials to critical financial systems, portfolio company environments, or firm infrastructure, cracking of those vaults would provide direct access. Organizations that have not rotated all credentials stored in LastPass since the 2022 breach should treat that rotation as an urgent security hygiene requirement. The ongoing nature of the vault cracking risk — years, not months — makes this a sustained rather than historical exposure.