Click to toggle navigation menu.

The LastPass Breach Incident: A Tale of Two Sets of Users


Even your best cybersecurity measures can’t render your data perfectly secure.  But you can be almost perfectly secure, if you follow best practices in order to harden your systems against the most common cybersecurity vulnerabilities. 

We’ll review exactly what’s meant by “best practices” below, but first let’s look at the successful attack on the password management application LastPass – and how differently that attack played out for their customers who followed best practices compared to those who did not.

What happened with LastPass

As you certainly heard, if you had in place a cyber alert for news of attacks (it’s easy to set up in Google News or other news readers), in August of 2022, LastPass detected a breach of their infrastructure. Although at first they believed they’d successfully contained it, subsequent reporting revealed more damage. Specifically, three months later, in November, LastPass had discovered and admitted that the hackers had managed to get into its password vaults.

This is one of the worst nightmares of any customer of a password manager. 

For over a decade we’ve been advised to use password management apps such as LastPass, 1Password, or others. Losing control of passwords is one of the most famous security vulnerabilities. The argument is that they enable the easy and secure creation, storage, retrieval, use, and regular change of very strong passwords – strings that can be over a dozen characters long, employing upper case, lower case, numerals, and special characters. 

What’s more, a password manager enables anyone to use a unique very strong password for each account they own – no duplicates anywhere. 

With the LastPass incident, we see that even with all those advantages, and all their emphasis on security, a password manager is not impervious to a breach.

The passwords remained encrypted. That was a relief.  

But the hackers could still see what accounts each user had. That was a disturbing and ominous development, since bad actors can easily use such information to cross-reference other username and password data for sale on the dark web. 

Here’s where the story diverges for customers who used best practices and those who did not. 

A dark story of immediate danger

The story was dark for customers of LastPass who had failed to follow best practices all along – those who, for example, used the same passwords for multiple accounts, or those who used weak, easy-to-guess passwords, and who failed to implement multifactor authentication. 

These users were suddenly in clear and present danger of significant intrusions, losses, exposures, and damage. Their passwords across  multiple accounts were suddenly plausibly available to hackers. 

It’s crucial to note that the LastPass incident didn’t cause this risk. It was just the last link in a chain of events. LastPass customers had no control over that last link. But they did have control over other links in the chain, specifically they had control over whether they used strong passwords, unique passwords, and multifactor authentication. Users who chose not to do so were already putting themselves at risk, all along. 

Other successful breaches of any number of apps and services,  even some breaches that may never be known or publicized, inevitably result in the same immediate danger. 

A telling story of danger averted

Customers who did follow best practices of unique and strong passwords, and two-factor authentication, were almost perfectly safe. True, hackers had a list of their Internet accounts. But since their passwords were all unique, and since they used two-factor authentication in every account that allowed it, the bad actors could do little with the information. 

What does it mean for your business? 

These data breaches are clear lessons that no data can be perfectly safe, and no cybersecurity can be perfect. There are always risks. And so it’s better (and in terms of manageable risk it’s enough) to put up as many fences as you can before your data becomes part of a breach.

It’s important to know the simple best practices and to follow them. Those users who do so are relatively safe, even if their information is part of a data breach. 

What should you do now, in light of the LastPass breach?

1. Use strong, unique passwords

Every account you have, whether you consider it sensitive or not, needs a strong, unique password. Password managers are still the best option for generating, storing, updating, and retrieving strong, unique passwords. 

The master password to open your password manager should be easy for you to memorize but impossible for someone else to guess. And (like any password) it should never be used anywhere else, for any reason. It’s just too important and powerful. 

2. Use two-factor authentication wherever possible

Wherever technically available, use two-factor authentication – whether through your cellphone, email address, or an authenticator app. It’s important not only for highly sensitive accounts such as banking logins, but for any account which makes this extra layer of security available to you. Any breach into your business or personal data could potentially allow talented hackers to do more damage.

3. Continue to use a password manager

Should you continue to use a password manager, after the LastPass incident? Absolutely. Here’s why: 

Just because a bank is robbed doesn’t mean sensible people will store their money elsewhere. Just because stocks enter a bear market doesn’t mean sensible people stop investing. 

And just because a password manager is hacked doesn’t mean sensible people will abandon their use. 

A password management app is still the most secure, useful service for enabling you to use unique, strong passwords, to change them regularly, and to make them available for use to any authorized user. 

Cyber insurance as further risk reduction

Cyber security insurance is a further risk reduction against attacks. As you ensure all your passwords are strong and unique, implement two-factor authentication wherever possible, and actively participate in the management of your passwords by following best practices and using a password management service, you put yourself in a position to get cyber security insurance at an affordable price. Premiums are based on risk, and you’ve objectively reduced your risk to a much lower profile. 

About the Author:

Doug Kreitzberg– Founder & CEO of SeedPod Cyber

As CEO of USI Affinity and Programs (2004-2018), Doug led affinity business development, marketing and program businesses, including professional liability, commercial property & casualty, personal lines and life and disability Programs. In 2018, Doug founded a cybersecurity and data privacy risk consulting firm. It was through his consulting practice that he learned the value that Managed Service Providers bring to small and medium sized businesses. That insight formed the basis for SeedPod Cyber, a cyber insurance managing general agency Kreitzberg founded in 2021 which partners with Managed Service Providers to provide cyber insurance to their clients.