Decipher File · August 2022 to February 2023
LastPass: How a Two-Stage Breach Reached the Encrypted Customer Vaults
The LastPass incident is the cybersecurity password manager breach that proved a developer endpoint compromise can reach encrypted customer vaults. Between August 2022 and February 2023, a threat actor chained a stolen DevOps engineer master password through a home-computer keylogger to a backup database and exfiltrated encrypted customer vault data plus unencrypted website URLs.
Incident summary
LastPass is a password manager that stores encrypted customer credentials in a zero-knowledge architecture, where the master password derives the encryption key locally and the server never holds the plaintext key. Per LastPass's August 25, 2022 disclosure, between August 8 and 11, 2022 a threat actor compromised a software developer's account and accessed parts of the LastPass development environment, exfiltrating source code and technical documentation.
LastPass disclosed on December 22, 2022 that the same actor had used information acquired in the August incident to mount a second-stage attack between August 12 and October 26, 2022. The actor compromised a DevOps engineer's home computer using a vulnerability in a third-party media software package, installed a keylogger, and captured the engineer's master password after the engineer authenticated with MFA.
The DevOps engineer was one of four LastPass employees with access to decryption keys for customer vault backup data stored in AWS S3. The actor used those keys to decrypt the backup wrapping and exfiltrated the encrypted customer vault database. Per LastPass's March 1, 2023 root cause update, the data exfiltrated included unencrypted vault metadata such as website URLs, plus the encrypted vault contents which remain protected by each customer's master password.
Attack technique
MITRE ATT&CK maps the second-stage technique chain to T1056.001 (Input Capture: Keylogging) at the engineer's home computer, T1552.001 (Unsecured Credentials: Credentials In Files) for retrieved backup decryption keys, and T1530 (Data from Cloud Storage) for the AWS S3 backup access. The August 2022 first-stage maps to T1566 (Phishing) and T1059 (Command and Scripting Interpreter) per LastPass's published timeline, though the specific delivery details remain limited.
The keylogger captured the master password after MFA authentication, since the keylogger sat on the host operating system and observed keystrokes including the post-MFA password entry. This pattern defeats MFA on the user-credential layer because MFA validates session start, not session integrity, and a keylogger captures whatever follows.
Per the March 2023 update, the third-party media software package vulnerability that gave the actor remote code execution on the engineer's home device was not disclosed by name. LastPass referenced 'a vulnerable third-party media software package' without identifying the product. Independent reporting by Ars Technica and Krebs on Security identified Plex Media Server as a candidate based on timing of CVE-2020-5741 exploitation, but LastPass has not confirmed the specific product publicly.
Impact and consequences
LastPass disclosed that customer vault data including unencrypted URLs and encrypted credential fields was exfiltrated. The encrypted fields remain protected under 256-bit AES with a key derived from each customer's master password, but customers with weak master passwords or low PBKDF2 iteration counts face brute-force risk on offline-decrypted data. LastPass had used a default of 5,000 PBKDF2 iterations on legacy accounts, which is below the OWASP-recommended minimum of 600,000 for that primitive.
TRM Labs and other blockchain analytics firms tracked over $150 million in cryptocurrency theft between 2022 and 2025 attributed to LastPass-linked vault decryption, per their published reports. The pattern of cryptocurrency wallet drainage from victims known to have used LastPass became one of the longest-tail consequences of any single breach.
LastPass faced a class action lawsuit filed in January 2023 in the District of Massachusetts. Parent company GoTo (formerly LogMeIn) disclosed in November 2022 that the LastPass-related incident also affected GoTo customer backups. The reputational impact accelerated migration to competing password managers including 1Password, Bitwarden, and Dashlane through 2023 and 2024.
Indicators of Compromise
Specific artifacts defenders should hunt for. Cross-reference these against your existing detection rules before acting on them.
- › Exploitation of a vulnerable third-party media software package on a DevOps engineer's home computer
- › Keylogger capturing master password after MFA authentication on personal device
- › Authentication to LastPass corporate vault from a single DevOps engineer with backup-database access
- › Access to AWS S3 buckets storing encrypted backup of customer vault data
- › Decryption keys for customer-data backups acquired from the engineer's accessible LastPass entries
Lessons for defenders
Personal devices should not have access to crown-jewel production secrets. The compromise reached the engineer's home computer, not a managed corporate device. Treating production secret access as require-managed-device-only is the structural defense, supported by EDR coverage, OS patching, and software-allowlisting on those managed devices.
Backup decryption keys deserve hardware key management. The keys that wrapped the customer vault backups were retrievable from a single DevOps engineer's accessible credentials. HSM-backed wrapping keys, multi-party computation for backup-decryption operations, and just-in-time elevation for backup access all close this attack surface.
PBKDF2 iteration counts age out. LastPass legacy accounts at 5,000 iterations were exploitable for brute force at modern GPU rates. Argon2id with appropriate parameters, or PBKDF2 with at least 600,000 iterations, is current practice. Password manager vendors should automatically migrate customer iteration counts forward.
Disclosure cadence matters. LastPass's December 22, 2022 disclosure followed an August 25, 2022 disclosure that downplayed customer impact. Krebs on Security and other reporting documented the gap in characterization. Mature breach disclosure provides incremental updates with the best available information rather than retracting initial scope statements months later.
Master password strength is the customer's only defense post-exfiltration. Customers using weak master passwords or reused passwords from prior breaches faced direct vault decryption risk. Customer education on master password length, uniqueness, and post-incident rotation became a default support workflow for password manager vendors after this incident.
Related career roles
The cybersecurity professionals whose day-to-day work would have detected, investigated, or contained this incident.
Related Decipher Files
Frequently asked questions
Did LastPass attackers get access to plaintext customer passwords?
Per LastPass's December 22, 2022 disclosure and March 1, 2023 update, the exfiltrated data included unencrypted vault metadata such as website URLs and the encrypted vault contents. The encrypted fields are protected by AES-256 with a key derived from each customer's master password through PBKDF2. Customers with strong unique master passwords retain protection. Weak or reused master passwords face brute-force risk on offline-decrypted data.
How did the second LastPass attack actually get into the systems?
Per LastPass's March 1, 2023 update, the threat actor compromised a DevOps engineer's home computer using a vulnerability in a third-party media software package, installed a keylogger, and captured the engineer's master password after the engineer authenticated with MFA. The engineer was one of four LastPass employees with access to backup decryption keys, which the actor then used against AWS S3 backup data.
What should LastPass customers have done in response?
Rotate all credentials stored in LastPass, prioritizing financial, email, and cryptocurrency accounts. Enable MFA on every account where supported. Migrate to a password manager with current Argon2id or high-iteration PBKDF2 defaults. Customers using legacy LastPass accounts with 5,000 PBKDF2 iterations should rotate especially urgently because offline brute-force feasibility increases each year on that parameter set.
Sources
- LastPass Notice of Recent Security Incident (December 22, 2022) · LastPass disclosure of customer vault data exfiltration
- LastPass Security Incident Update (March 1, 2023) · LastPass second-stage incident root cause and customer guidance
- LastPass Notice of Recent Security Incident (August 25, 2022) · LastPass initial August 2022 incident disclosure
- Krebs on Security: Experts Fault LastPass Disclosures · December 22, 2022 reporting on disclosure timing
- TRM Labs: Multi-Year LastPass-Linked Cryptocurrency Theft Tracking · Blockchain analytics tracking of vault-derived cryptocurrency theft
- MITRE ATT&CK T1056.001 Keylogging
DecipherU is not affiliated with, endorsed by, or sponsored by any company listed in this directory. Information compiled from publicly available sources for educational purposes.
Get cybersecurity career insights delivered weekly
Join cybersecurity professionals receiving weekly intelligence on threats, job market trends, salary data, and career growth strategies.
Get Cybersecurity Career Intelligence
Weekly insights on threats, job trends, and career growth.
Unsubscribe anytime. More options