We are writing this blog to educate you around the latest LastPass security breach event that we feel is important enough to share with all our clients not only clients specifically using LastPass. LastPass is a trusted password manager but as we are learning no technology is immune from security issues. The latest security issues are outlined by LastPass here.
LastPass disclosed that “some source code and technical information were stolen from our development environment and used to target another employee, obtaining credentials and keys which were used to access and decrypt some storage volumes within the cloud-based storage service.” The reason why this is so critical and important to understand here is that using this technique the following information was accessed by the threat actor
Data Breach:
- The threat actor copied information from backup that contained basic customer account information and related metadata including company names, end-user names, billing addresses, email addresses, telephone numbers, and the IP addresses from which customers were accessing the LastPass service.
- The threat actor was also able to copy a backup of customer vault data from the encrypted storage container which is stored in a proprietary binary format that contains both unencrypted data, such as website URLs, as well as fully-encrypted sensitive fields such as website usernames and passwords, secure notes, and form-filled data.
Key things to remember:
- Secure Notes, are encrypted fields which remain secure with 256-bit AES encryption and can only be decrypted with a unique encryption key derived from each user’s master password using our Zero Knowledge architecture.
- Your master password is never known to LastPass and is not stored or maintained by LastPass.
- There is no evidence that any unencrypted credit card data was accessed. LastPass does not store complete credit card numbers and credit card information is not archived in this cloud storage environment.
Our Concerns:
- Sensitive info in the Notes field of password entries (this is different from a Secure Note entry, which is a different type of entry in LastPass). This field is not encrypted.
- Accounts set up before 2018 (defaults were not as strong as now).
- Instances where your Master Password was a reused password or followed a previously used password pattern -- for example, if you used “Rivers123” as a password somewhere else, and then you made your LastPass Master Password the same or something similar, like “Rivers1234” or “Rivers123!”
For #1 above, the corresponding sensitive data should be changed as soon as possible. For example, if you had a personal questions and answers in the Notes field of a password entry, you should change the personal questions and answers for that site (or just use MFA instead).
For #’s 2 and 3 above (but especially for #3), all password entries in your LastPass Vault should be changed as soon as possible.
What Should LastPass Customers Do?
As a reminder, LastPass’ default master password settings and best practices include the following:
- Since 2018, we have required a twelve-character minimum for master passwords. This greatly minimizes the ability for successful brute force password guessing.
- To further increase the security of your master password, LastPass utilizes a stronger-than-typical implementation of 100,100 iterations of the Password-Based Key Derivation Function (PBKDF2), a password-strengthening algorithm that makes it difficult to guess your master password. You can check the current number of PBKDF2 iterations for your LastPass account here.
- We also recommend that you never reuse your master password on other websites. If you reuse your master password and that password was ever compromised, a threat actor may use dumps of compromised credentials that are already available on the Internet to attempt to access your account (this is referred to as a “credential stuffing” attack).
Is 1Password A Safe Alternative to LastPass?
Yes, 1Password is safe. It uses high-level AES 256-bit encryption to keep your data secure. Plus, each 1Password account is protected with a Secret Key – a 38-digit security code stored on your device and your device only, that’s used as an additional layer of security for all of your operations. By keeping it written down in a physical location, or stored separately on external storage, you can make sure that no one gets unauthorized access to your data. This is going above and beyond – it’s not a common feature on most password managers.
1Password’s zero-knowledge policy leaves this and other sensitive information unknown even to the company itself, and Secure Remote Password (SRP) protocol prevents hackers from intercepting Master Password, Secret Key, and other transmitted data.
1Password is SOC 2 Type 2-certified by AICPA, indicating secure data management. The most current SOC 2 report is available on request. The company also maintains a private bug bounty program from Bugcrowd, with 387 unique researchers looking for bugs.
1Password password manager maintains recent penetration tests by ISE and security audits by Onica, with past pentests and security assessments completed by AppSec Consulting, nVisium, and CloudNative.
Overall, 1Password designed every feature to make sure only you have access to the passwords, financial, and other personal information kept in your account. You get full control of your security and multiple security levels protect it from hacker’s attacks – chances of stealing the data at rest and in transit are next to zero. To conclude, 1Password is a really safe and good password manager, especially for advanced users.
What do we recommend?
1Password is not immune to Password Breaches and has had its fair share of breaches but nothing compared to what we have seen with LastPass. Read more here, where you can see that LastPass has had a security event almost every year since 2014. Wheras 1Password has only had vulnerabilities that have been fixed not actual security breaches.
1Password is what we recommend to our clients because of the seriousness and lack of security events that come with the platform.
Why do we recommend 1Password? It has never been hacked!
It bears repeating: 1Password has never been hacked. But even if its infrastructure were to be breached in the future, you can rest assured your data wouldn’t be at risk.
Every decision we make at 1Password begins and ends with the safety and privacy of your information. We know how important your data is, and it’s on us to make sure it stays completely safe from prying eyes. https://blog.1password.com/what-if-1password-gets-hacked/
AI Usage Transparency Report
AI Era · Written during widespread use of AI tools
AI Signal Composition
Score: 0.21 · Moderate AI Influence
Summary
The article discusses the recent LastPass security breach and its implications for users. It highlights the importance of password management and recommends using a secure alternative like 1Password.
Related Posts
How I Finally Passed the PMP Exam (After 12 Years of Waiting)
Back in 2013, I registered for a PMI membership with every intention of pursuing my PMP certification. I downloaded the handbook, bookmarked the eligibility requirements, and even told a few friends that I was going to do it "soon." At the time, I thought getting certified would be a straightforward process, but little did I know what lay ahead in terms of studying and preparation.
10 Things You Didn't Know You Could Do With Apple Configurator (That Save Mac Admins Hours)
Most of us treat Apple Configurator like a fire extinguisher: break glass, DFU, restore, move on. But it can do a lot more, and when you know the edges, you can turn a bricked morning into a ship-it afternoon. Below are ten things I regularly use (or wish I’d used sooner) that demonstrate its capabilities beyond just emergency recovery.
The Evolution of Apple Certification: A Journey Through Versions, Challenges & Growth
When I recently passed the Apple Certified Support Professional (ACSP) exam again, I paused to reflect — not just on this milestone, but on the long path I’ve walked through Apple’s certification landscape. My first certification dates back to macOS 10.5, and over the years, I’ve earned credentials across nearly every version since. In that time, the exams — and Apple itself — have transformed significantly.
Secure Software, Secure Career: How I Passed the CSSLP
After passing the CISSP earlier this year, I decided to follow it up with the **Certified Secure Software Lifecycle Professional (CSSLP)** certification. For those unfamiliar, CSSLP is an ISC2 certification that focuses specifically on secure software development practices across the full SDLC—from requirements and design to coding, testing, deployment, and maintenance. My goal in pursuing this certification was to further develop my skills in ensuring the security of software throughout its entire lifecycle.
Managing Bring Your Own Device (BYOD) for Android with Microsoft Intune
Alright, so today we're going to be talking about the management of bring your own device BYOD for Android devices. There's a lot of information out there for the management of iOS devices and you can do that with pretty much any Apple MDM on the market. We just happen to use Jamf where I work, but you could use anything from Braavos to SimpleMDM to Kanji or JumpCloud. Mosyle is also a great option.
BYO with me in 2025: iOS with User Enrollment in JAMF Pro
It really depends on your company's needs. For example, many companies need to hire 1099 contractors and in such a case they come with their own devices but not the correct security settings or enforcements. Remember BYOD is a security construct. The idea here is that you should be securing the company's sensitive data in all forms. This may involve implementing policies for contractor-owned devices, ensuring that all devices accessing company data meet minimum security standards, and regularly reviewing and updating these standards to stay ahead of emerging threats.
Securing BYOD Email Access: Exploring Strategies in Microsoft 365
In today’s mobile-first world, organizations increasingly rely on Bring Your Own Device (BYOD) programs to empower employees while optimizing costs. However, this flexibility introduces unique challenges, particularly around securing email access. To mitigate risks, we are implementing a comprehensive strategy to block email access on non-company devices by default and ensure only sanctioned apps can access organizational email accounts. This approach will help prevent unauthorized access and data breaches, aligning with our commitment to maintaining the security and integrity of company communications.
How I Conquered the CISSP Exam: 9 Months, Top Resources, and Proven Strategies
Passing the CISSP (Certified Information Systems Security Professional) exam is no small feat. It’s known for its breadth, depth, and ability to test not just your knowledge but your practical understanding of cybersecurity. After nine months of intense preparation, I’m thrilled to say I’ve joined the ranks of CISSP-certified professionals! Here's a detailed account of my experience, including the resources I used, some tips that helped me along the way, and what I learned from the process itself.
Get more out of scripting than you may expect
Expect is an extension to the Tcl scripting language written by Don Libes. The program automates interactions with programs that expose a text terminal interface. Expect, originally written in 1990 for the Unix platform, has since become available for Microsoft Windows and other systems. Its functionality allows users to interact with these programs through scripted commands, eliminating the need for manual input.
Cybersecurity is more than having the right tools
Processes, cybersecurity is 99% documentation, writing, that's what it is. If you don't enjoy writing policies and procedures, or enforcing them, be aware that this may lead to conflicts with your coworkers. You'll need to communicate clearly and consistently, which can be a challenge for some people.
