LastPass had a tough year in 2022 due to several hacking incidents that exposed serious weaknesses in its security system. The attacks were carried out by threat actors who were able to steal LastPass’s source code and exploit a vulnerability in a remote-access app used by its employees. The hackers installed a keylogger onto the computer of a senior engineer at the company, which enabled them to obtain the employee’s LastPass master password, thereby gaining access to the employee’s vault and all the secrets contained within.
Unfortunately, LastPass kept production backups and critical database backups in the cloud, which meant that a significant amount of sensitive customer data was stolen. Although the hackers were unable to decrypt the most sensitive data (such as email addresses and passwords) because it was encrypted using a zero-knowledge method, they were able to access backups of LastPass’s multi-factor authentication database, API secrets, customer metadata, configuration data, and more.
LastPass has faced criticism for its handling of the attacks and for trying to hide its attack support pages from search engines by adding noindex meta data. It’s highly recommended that LastPass users switch to a different password manager. There are plenty of other superb password managers available that can reliably protect your important information.