Arrow back

What you need to know about the LastPass incident

22 March, 2023

Let’s be perfectly honest: nobody likes passwords. It’s the primary reason why the most commonly used passwords are as simple as they come - many of us feel as though we’ve got better things to do than memorise dozens (if not hundreds) of unique and secure passwords.

That’s why 30% of internet users utilise password managers to store their passwords and remove the need for password memorisation.

However, there’s only one constant in cybersecurity: technology can’t save us.

The recent LastPass incident is a prime example of why technologies must be paired with strong cybersecurity foundations. So, join us as we share what happened in the breach, what we can learn, how to create strong passwords and promote cybersecurity awareness training for employees.

What happened in the LastPass data breach?

LastPass is, by far, the most popular password management tool in the world. Commanding more than 21% of the market, its pitch is simple: one secure location for all of your passwords across every device.

However, in August 2022, the company announced that it had suffered a data breach, indicating that it was a minor and contained incident. What has followed has been a slow-moving disaster. Here’s the timeline of events so far:

  • August 23, 2022: LastPass informs customers that they’ve detected “some unusual activity” within the “development environment”. An initial investigation discovered no evidence of an unauthorised party accessing customer data or password vaults. The breach occurred when cybercriminals accessed a compromised developer account and stole sections of the source code.
  • September 15, 2022: LastPass says its security team has detected a cybercriminal inside its development system. This individual had four days' worth of access, but the company claimed they’d contained the activity. The company again stressed that the development section is separate from the production environment, and therefore no customer accounts were accessed.
  • November 30, 2022: LastPass first admits that customer data was compromised due to the August breach. CEO Karim Toubba said “We have determined that an unauthorized party, using information obtained in the August 2022 incident, was able to gain access to certain elements of our customers’ information. We are working diligently to understand the scope of the incident and identify what specific information has been accessed.”
  • December, 22, 2022: Shortly before Christmas, LastPass detailed the breach further, editing that customer data was significantly compromised” after an unknown threat actor copied a cloud-based backup of the customer vault data. LastPass insist, however, that this data cannot be accessed without “a unique encryption key derived from each user’s master password”.
  • March 1, 2023: LastPass informs customers that they “completed an exhaustive investigation and have not seen any threat actor activity since October 26”. However, they stress that this is an ongoing investigation and remain on a high level of alert.

While LastPass quickly responded to the incident and has maintained regular updates since, resetting the passwords of affected accounts and prompting all users to update their master passwords, it’s an eye-opening incident.

The LastPast breach highlights that even password managers, which are supposed to be the ultimate defence mechanism against password-related cyber attacks, can’t protect your data completely.

Protect your organisation with truly effective training

Join the thousands who've discovered how Bob's Business' security and compliance awareness training reduces risk, demonstrates improvement and builds cultures.

What can we learn from the breach?

The LastPass data breach serves as a valuable lesson for individuals and organisations on the importance of taking cybersecurity seriously. Here are some key lessons we can learn from this incident:

Password managers are not invulnerable

Password managers are useful for generating and storing strong passwords but are not immune to attacks. This breach demonstrates that a single compromised password can lead to multiple account breaches. In this case, the compromised developer account meant that the threat actors could gain access to everything they needed.

Therefore, it is essential to implement additional security measures and monitor password manager accounts regularly.

Multi-factor authentication is a must

Multi-factor authentication adds an extra layer of security by requiring users to provide additional information, such as a fingerprint or code sent to their mobile device, in addition to a password. Implementing multi-factor authentication can make it much harder for hackers to gain access to user accounts.

Security awareness training is crucial

Cybersecurity is not just an IT issue; it is a business issue that requires the involvement of all employees. Cybersecurity awareness training for employees can help to prevent human error that can lead to a breach. Educating employees on identifying and preventing cyber attacks can go a long way in improving an organisation's overall security.

Regularly review and update security policies

Cyber threats are constantly evolving, and organisations need to regularly review and update their security policies to ensure they are up-to-date and effective in mitigating the latest threats.

Why you shouldn't rely on technology to protect your passwords

The LastPass incident is a prime example of why we should not rely solely on technology to protect our passwords. While password managers are an excellent tool for generating and storing strong passwords, they can also become a single point of failure.

If a hacker gains access to a password manager account, they can potentially access all of the user's accounts that are stored in the password manager.

Furthermore, no system is entirely secure. A determined and skilled hacker can bypass even the most advanced security measures.

Therefore, it's important for all of us to equip ourselves with the knowledge of how to create strong passwords and promote cybersecurity awareness training for employees.

How to create a strong password

Creating a strong password is one of the most effective ways to protect your online accounts. Here are some tips on how to create a strong password:

  1. Use a combination of letters, numbers, and symbols: A password with a random combination of these elements is much harder to crack than one with only letters or numbers.
  2. Make it long: The longer the password, the harder it is to crack. Aim for a password that is at least 12 characters long.
  3. Avoid common words and phrases: Hackers use automated tools that can quickly guess common words and phrases. Therefore, avoid using words like "password," "123456," or "qwerty."
  4. Use a unique password for each account: Using the same password for multiple accounts is a huge security risk. If one account is compromised, all other accounts that use the same password are also at risk.

How can Bob’s Business help your organisation?

At Bob's Business, we know that cybersecurity training is essential to protect your organisation. That's why we offer engaging and tailored online cybersecurity training to empower all team members to recognise and respond to cyber threats, protecting your organisation from the 90% of breaches caused by human error.

Our training is designed to be bite-sized, interactive, and easily integrated into your busy schedule. Additionally, our engaging content ensures that your team stays motivated and focused throughout the training process.

Act now to protect your organisation and customers from cyber threats by exploring our comprehensive range of cybersecurity awareness training products. Click here to start reducing your risk today.

Back to resources

Ready to build your cybersecurity culture?

Whether you’re looking for complete culture change, phishing simulations or compliance training, we have solutions that are tailor-made to fit for your organisation.

Girl with laptop
Boy with laptop
man and woman with laptops
Global Cyber Alliance