Incident Responsecritical

LastPass Changing Story: How a Breach Disclosure Evolved Over Three Months

LastPass's data breach disclosure evolved from "no customer data was accessed" in August 2022 to "encrypted vaults for all customers were stolen" by December 2022 — the story changing three times as the full scope became clear.

LastPass / GoTo·2022·2 min read

Attack Chain

  1. 1
    Phishing email targets employee
  2. 2
    Credentials compromised
  3. 3
    LastPass dev environment accessed
  4. 4
    Encrypted password vaults stolen
  5. 5
    Master password brute-force attempted

Background

LastPass is a widely used password manager storing encrypted vaults for tens of millions of users. In August 2022, the company disclosed an incident. What followed was a case study in how breach disclosures can evolve — and how initial statements can be contradicted by subsequent investigation.

The Attack

Timeline of disclosures: August 25, 2022 — LastPass discloses that source code was stolen from their development environment; "No customer data was accessed." November 30, 2022 — LastPass discloses that an attacker used information from the August breach to compromise a third-party cloud storage service. Customer backup data was accessed. December 22, 2022 — LastPass discloses the full scope: encrypted password vaults for all customers were stolen, along with unencrypted metadata (website URLs stored in the vault). The stolen vault data included some fields in plaintext (usernames and URLs). The attacker had breached a DevOps engineer's home computer through a vulnerable media software package to steal credentials.

Response

LastPass published detailed technical disclosures at each step. The company updated its security architecture following the breach. Parent company GoTo (formerly LogMeIn) disclosed its own related breach. Customers were advised to change master passwords and update all passwords stored in LastPass.

Outcome

The changing disclosure narrative — even if caused by genuine investigation progress rather than deliberate concealment — severely damaged LastPass's reputation. Customers could not make informed decisions about risk based on incomplete information. The breach drove significant customer migration to competing password managers.

Key Takeaways

  1. Initial breach disclosures are almost always incomplete — organisations must commit to updating disclosures as scope becomes clear
  2. Password manager breaches require customers to change all stored passwords — the sensitivity of the data demands immediate communication
  3. DevOps engineers' home computers with production environment credentials are critical security risks requiring specific controls
  4. Unencrypted metadata (URLs) in encrypted vaults reveals which accounts exist — this is high-value intelligence for targeted attacks
LastPassevolving disclosurepassword managervault theftDevOps engineer

More in Incident Response

2013critical

Target Breach IR Failure: Security Team Saw the Alerts and Did Nothing

2 min readIncident Response
2017high

GitLab Production Database Deletion: 5 Failed Backups and a Live Stream

2 min readIncident Response
2019high

British Airways GDPR Fine: The First Major Enforcement Sets the Tone

2 min readIncident Response