LastPass Second Breach: Encrypted Vaults Stolen Using Data from First Attack

On November 30, 2022, LastPass CEO Karim Toubba disclosed what the security community had feared since August: the initial developer environment breach wasn't an isolated incident. An attacker had used information stolen in the August breach to launch a second, far more damaging attack that resulted in the theft of customer vault data — the encrypted databases containing millions of users' passwords.

This was the supply chain attack pattern at its most personal. The software people trusted to protect their most sensitive credentials had itself become the vector for their exposure.

The Chain of Compromise

The full attack chain, pieced together from LastPass's disclosures and subsequent independent analysis, reveals a textbook multi-stage supply chain compromise:

Stage 1: Developer Environment (August 2022)

The attacker compromised a LastPass developer account and accessed the development environment for four days. They stole source code and proprietary technical documentation. At the time, LastPass characterized this as limited and stated that no customer data was affected.

Stage 2: Targeting a Specific Engineer (August - November 2022)

Using knowledge gained from the stolen source code and technical documentation, the attacker identified a specific LastPass DevOps engineer as a high-value target. This engineer was one of only four people with access to the decryption keys for LastPass's cloud storage.

The attacker compromised this engineer's home computer by exploiting a vulnerability in a third-party media software package (later identified as Plex, which itself had disclosed a data breach in August 2022). Through this compromise, the attacker installed a keylogger that captured the engineer's master password as they authenticated to the LastPass corporate vault.

Stage 3: Cloud Storage Exfiltration (November 2022)

With the engineer's credentials and decryption keys, the attacker accessed LastPass's cloud storage backups hosted on AWS S3. They exfiltrated:

• Customer vault data (both encrypted and unencrypted fields)
• Company names, end-user names, billing addresses, email addresses, telephone numbers, and IP addresses
• Website URLs stored in vaults (unencrypted)
• Encrypted fields including usernames, passwords, secure notes, and form-filled data

What Was Encrypted vs. Unencrypted

This distinction is critical to understanding the actual impact:

Encrypted (requires master password to decrypt):

• Usernames and passwords
• Secure notes
• Form-filled data

Not encrypted (exposed in plaintext):

• Website URLs for all stored credentials
• Company names and end-user names
• Billing addresses, email addresses, phone numbers
• IP addresses from which customers accessed LastPass

The unencrypted metadata alone was enormously valuable to attackers. Knowing which websites a person has accounts on enables targeted phishing, and the URL data reveals sensitive information about users' financial accounts, health providers, and other services.

The Encryption Question

LastPass stated that encrypted vault data was secured with 256-bit AES encryption, derived from each user's master password using PBKDF2-SHA256. The security of the encrypted data depended entirely on the strength of each user's master password and the number of PBKDF2 iterations used.

Here's where things got concerning:

• Default PBKDF2 iterations varied by account age. Newer accounts used 100,100 iterations (the current default). But older accounts might use as few as 5,000 iterations, or even 1 iteration for very old accounts. Users who hadn't logged in recently or changed their settings were significantly more vulnerable to brute-force attacks.

• Master password requirements were historically weak. LastPass's minimum master password requirement was only 12 characters (increased from 8 in 2018). Users with short, common, or reused master passwords were at significant risk.

• Offline brute-force is patient. Unlike online attacks that can be rate-limited, the attacker now had the encrypted vaults offline. They could apply as much computing power as they wanted, for as long as they wanted, with no detection.

Security researcher Wladimir Palant and others calculated that for accounts with low PBKDF2 iterations and weak master passwords, decryption could be accomplished in hours to days using commodity hardware. For accounts with strong master passwords and current iteration counts, decryption remained computationally infeasible.

The Supply Chain Cascade

The LastPass breach is a masterclass in cascading supply chain compromise:

1. Developer tools → source code theft (the initial development environment compromise)
2. Source code knowledge → targeted human attack (identifying the specific engineer to target)
3. Third-party software vulnerability → home computer compromise (Plex vulnerability used to install keylogger)
4. Home computer → corporate credentials (keylogger capturing the master password)
5. Corporate credentials → cloud storage (accessing AWS S3 with stolen keys)
6. Cloud storage → customer data (exfiltrating encrypted vaults)

Each step used information or access from the previous step. The attacker demonstrated patience and sophistication, waiting months between the initial breach and the final exfiltration.

Impact Assessment

The fallout from the LastPass breach was severe and long-lasting:

Immediate credential rotation. Security experts recommended that all LastPass users change their master passwords and rotate every credential stored in their vaults. For users with hundreds of stored credentials, this was an enormous undertaking.

Cryptocurrency theft. In the months following the disclosure, blockchain analysts attributed significant cryptocurrency thefts to credentials stolen from LastPass vaults. Researcher Taylor Monahan documented over $35 million in cryptocurrency stolen from addresses linked to LastPass users.

Trust destruction. For a company whose entire value proposition is securely storing credentials, this breach was existential. The security community largely recommended migrating to alternative password managers.

Regulatory scrutiny. The breach attracted attention from regulators and raised questions about password manager security standards, data retention policies, and disclosure transparency.

Lessons for the Industry

Zero Trust Must Extend to Development Environments

The initial August breach was characterized as limited because "no customer data" was accessed. But the development environment contained the knowledge needed to plan and execute a far more damaging attack. Development environments must be treated as high-value targets.

Home Networks Are Part of the Attack Surface

The attacker compromised an engineer's home computer to steal credentials. As remote work becomes permanent, the boundary between corporate and personal computing environments is increasingly blurred. Organizations need to account for this in their threat models.

Defense in Depth for Key Management

Only four engineers had access to the cloud storage decryption keys. Compromising any one of them was sufficient to access all customer data. Key management systems should require multiple parties (threshold cryptography) and additional verification for sensitive operations.

Encryption Defaults Must Be Current

The variable PBKDF2 iteration counts meant that long-time, loyal customers were actually the least protected. Security defaults should be automatically upgraded, not left at historical settings.

Transparency and Timeliness in Disclosure

LastPass's disclosure was criticized for being slow, incomplete, and minimizing the severity. The August disclosure said "no customer data" was affected; the full picture didn't emerge until December, and important details came from external researchers rather than LastPass itself.

How Safeguard.sh Helps

The LastPass breach demonstrates why software supply chain security must encompass the entire lifecycle — from development environments to production infrastructure to third-party dependencies. Safeguard.sh provides continuous monitoring across your supply chain, detecting anomalous access to development resources, tracking changes to build and deployment infrastructure, and ensuring that security controls are consistently applied. Our platform helps organizations identify the kind of cascading dependency risks that enabled the LastPass breach before they can be exploited.