LastPass was an industry-leading password manager. They achieved this impressive status because of their robust features, including strong security and a high-quality interface. But since August 2022, LastPass has suffered two serious data breaches. Unidentified attackers stole proprietary software. Their reputation has been tarnished as a result, and many users are rightfully seeking alternatives. PowerbITs recommended LastPass for the longest time, but we no longer do so after their latest breach.
LastPass – the industry giant that fell
LastPass is a password manager founded by a group of talented engineers in 2006. Their mission was to make the internet safer by helping people remember their passwords. And they’ve largely succeeded in this goal.
LastPass has over 150 million users, making it one of the world’s most popular password managers. Recognising its potential, LogMeIn purchased Lastpass in 2015 for $110 million.
Why was LastPass such a popular choice
LastPass offers a variety of features, including:
- Industry-leading encryption technology
- User-friendly interface
- Integration with popular apps and devices
- Affordable pricing
LastPass is internationally recognised for providing excellent security features and a user-friendly interface. But they’ve also been criticised for their acquisition by LogMeIn. Users have expressed concern that LogMeIn’s monetisation goals may compromise user privacy.
Despite these concerns, LastPass was extremely popular. They had excellent security features and an intuitive interface. These qualities made LastPass great for most users.
The following is a timeline of LastPass since it was founded to the latest security breaches.
- 2006: A group of engineers found LastPass.
- 2008: LastPass launched their first public beta.
- 2010: LastPass acquired a pass synchronisation web browser extension called Xmarks.
- 2012: LastPass launched their mobile app for both IOS and Android.
- 2015: LogMeIn acquires LastPass for $110 million.
- 2016: LastPass launched its Authenticator app to provide two-factor authentication for LastPass accounts.
- 2017: LastPass launched their Families plan, which lets 6 family members share a LastPass account.
- 2018: LastPass launched its Business plan for small businesses.
- 2019: LastPass introduced their Premium plan, which has additional features like emergency access.
- 2020: LastPass launched their Identify Theft Protection plan to provide theft monitoring and protection for their users.
- 2021: LastPass introduced the LastPass Vault Password Manager for Teams, intended for businesses with over 100 employees.
- August 2022: LastPass is breached for the first time. An unauthorised party accessed LastPass’s development environment.
- December 2022: The same unauthorised party accesses some partially encrypted customer vault data backups.
The strong suit of LastPass Vault System
LastPass employs the following security features:
Password vault encryption
Password vault encryption is a password encryption process that uses a secure encryption algorithm. Password vault encryption prevents unauthorised access to passwords.
256-bit AES encryption
256-bit AES encryption is a type of symmetric encryption algorithm that uses a 256-bit key for encrypting data. The 256-bit key means there are 2^256 keys, which is a massively large number. The likelihood that hackers will crack such a key is extremely low, even if they use the best supercomputers.
LastPass never gains access to your master password or encrypted data. Your master password is used to encrypt your data on the app’s servers. So by not storing your master password or encrypted data, your information remains safe even if LastPass’s servers are compromised.
Secure servers are protected from unauthorised access. LastPass stores their servers in secure data centres across the globe. These data centres are protected by everything from physical security to network and data security.
Regular security audits
Third-party organisations perform regular security audits to assess the security of an organisation. LastPass regularly hires such organisations to ensure their security measures are effective and updated.
What was lost in each breach
The following data was lost in the two data breaches in 2022.
First Breach (August 2022)
An unauthorised party gained access to LastPass’s development environment, which included both source code and proprietary technical information. But no customer data was lost over the four-day period.
Second Breach (December 2022)
Last Pass suffered a second breach in December 2022. The attacker accessed one of the third-party cloud-based storage service providers affiliated with LastPass. The attacker used information from the August 2022 breach to decrypt the data they acquired.
The data they decrypted included customer information, like names, email addresses, phone numbers, and IP addresses. The attacker also accessed backups of customer vault data. But they were unable to access all the data according to LastPass.
LastPass responded to the hack by advising customers to change their master passwords and enable multi-factor authentication.
Lesson from LastPass about CyberSecurity
The LastPass security breaches teach three following lessons for everyone.
Keep your software updated
Hackers routinely exploit known vulnerabilities to access data. The best way to combat this is to regularly update your software with the latest security patches. That way, you’ll prevent them from exploiting known vulnerabilities.
The easiest way to update your software is by enabling automatic updates. Automatic updates simplify the process and ensure your software is always up-to-date.
Use strong and unique passwords
Strong and unique passwords are one of your best online defences. Strong and unique passwords are difficult to guess. So use strong and unique passwords for all your online logins.
You can create strong passwords by using long strings of text, numbers, and special characters. And use a password manager to ensure you have different passwords for every online login.
Enable multi-factor authentication (MFA)
Multi-factor authentication (MFA) adds additional security to your login process. Introducing multiple authentications, like a password and fingerprint or an OTP from your phone, reduces the risk of unauthorised access.
Password managers are extremely useful. They help create strong and unique passwords for you that prevent unauthorised access to your accounts. Password managers also make logging in easy from your devices. That way, you don’t forget your passwords anymore.
That being said, PowerbITs no longer recommends LastPass. Multiple other password managers provide the same features without the dramatic, recent history.
We recommend any of the following:
These password managers provide excellent encryption with a user-friendly interface.
Password managers are a necessity nowadays. They’re the best way to manage your passwords and ensure you have strong and unique passwords. But choosing and introducing the right password manager isn’t always easy.
Sometimes you may need professional help. You can contact PowerbITs for a free consultation to figure out the right password manager for you.