top of page

Password management: Where LastPass got it wrong and how to approach the issue in organizations

Publication Date

24 March 2023

DOI

Authors

Jonas de Abreu
Mariana Cunha e Melo

Summary

In August 2022, LastPass suffered two cyberattacks that breached customer data and encrypted passwords. LastPass acknowledged the attacks, but their communication was not transparent enough. In November 2022, a follow-up attack compromised customer data further. LastPass communicated that this was a low-risk attack and that customers did not need to take any action. However, in December 2022, LastPass admitted the actual scale of the breach, and that all customer vaults were compromised. It is important to note that every company suffers frequent attacks, but the proper security posture under this type of attack is to assume that everything will eventually get compromised. The incident makes a case for why companies should always deploy additional defenses, such as employing security keys, to stay secure in the long term.

Full publication

bottom of page