Skip to content

Why It’s Time for Me to Say Goodbye to LastPass

image of a red padlock on a colorful laptop screen with a no entry symbol across it

For years, I’ve been a dedicated LastPass user, believing in the security of their password manager and appreciating the company’s transparency when it came to dealing with past incidents. As one of the most popular password managers with over 25 million users, it’s understandable that LastPass would be a prime target for cybercriminals.

Despite security breaches dating back to 2011, I didn’t see the need to search for alternatives. However, recent events have forced me to reevaluate my loyalty to LastPass.

The unravelling of trust: A timeline of LastPass security incidents

August 2022: The initial breach

The year 2022 brought a series of challenges for LastPass users, myself included. In August, the company revealed that an unauthorised party had gained access to parts of their development environment, leading to the theft of source code and proprietary information. Although CEO Karim Toubba assured users that master passwords were safe, the situation spiralled further out of control.

November 2022: The plot thickens

By November, Toubba admitted that the attackers had accessed some customer data, though he insisted that user passwords remained encrypted and secure. My faith in LastPass began to wane as more details emerged about the extent of the breach.

December 2022: The full extent revealed

In December, LastPass disclosed that the attackers had breached a cloud-based storage environment containing archived backups of production data, customer account information, metadata, and customer vault data.

The breach had far-reaching consequences. While encrypted data, such as usernames and passwords, were still protected by 256-bit AES encryption, unencrypted data like website URLs had been compromised.

The attackers now held password vaults but couldn’t decrypt them without attempting brute-force methods using known passwords from other breaches. This development put users with weak master passwords at risk, urging them to change all their passwords as soon as possible.

The final straw: March 2023 update

Just when you thought it couldn’t get any worse, it came to light in a March 2023 update that the attackers had targeted a senior DevOps engineer by exploiting vulnerable third-party software installed on their home computer. In doing so, they managed to implant keylogger malware and capture the employee’s master password, giving them access to the engineer’s LastPass corporate vault.

Security experts criticised LastPass for its inadequate privileged access and vulnerability management measures. In addition, many questioned why the engineer’s home computer use hadn’t been flagged, whether a Bring Your Own Device (BYOD) policy was in place, and why the engineer hadn’t been provided with a corporate laptop for remote work.

Lastpass 2023 incident summary 2

The aftermath: Reassessing password manager security

Following these revelations, I’ve decided it’s time to look for alternatives to LastPass. Both Norton Password Manager (free) and 1Password (subscription) are highly recommended. 1Password, for instance, offers an additional layer of security by combining a master password with a secret key.

The recent LastPass security breach has been a wake-up call, reminding me that no matter how much trust I place in a company, it’s crucial to scrutinise its security culture and response to incidents. The way LastPass handled this situation, from communication to security protocols, has left me disappointed and concerned for my data’s safety. It’s important to note that absolute security is a myth, and breaches can happen to any company.

However, it’s how a company reacts, communicates, and learns from these incidents that makes all the difference. In this case, LastPass’s response has left me questioning their ability to protect my information.

Time to switch to a new password manager

In the wake of these events, my advice to fellow LastPass users is to consider switching to another password manager. While the company has implemented new policies and controls for cloud-based storage resources and privileged access, it’s worth questioning why these measures weren’t in place from the start.

Ultimately, trust is the cornerstone of any relationship with a password manager. And for me, that trust has been shattered. It’s time to seek out a more secure alternative, and I encourage you to do the same. We live in a world where cyber threats are ever-evolving, and taking a proactive approach to our digital security is crucial.

Did you know? According to a survey by TechRepublic, some vendors may pay for web traffic or other sales opportunities, which is why they can offer their services for free. This highlights the importance of understanding the business model of your password manager and how it might impact their security practices.

In my opinion, it’s essential to stay informed about the latest developments in cybersecurity. As Evan Johnson, a security engineer who worked at LastPass more than seven years ago, aptly put it, “They are doing a world-class job detecting incidents and a really, really crummy job preventing issues and responding transparently.”

Don’t wait for another breach to occur before reassessing your choice of password manager. Stay informed, and stay vigilant in protecting your sensitive data. Remember, your digital security is in your hands, and sometimes that means making tough decisions to protect yourself.

Leave a Reply