What Did the LastPass Breach Reveal About Password Manager Security?
A Breach That Reshaped Password Manager Security
The 2022-2023 breach of LastPass, a mainstay among password manager tools, served as a jarring wakeup call to anyone looking to secure passwords and ultimately keep private their sensitive personal information and confidential business information. This isn’t just about stolen data. It’s about how hackers found weak points at an organization meant to hold the keys to the kingdom for millions of users and enterprises.
In 2025, the breach remains a turning point. News continues to emerge on the breach. Here is what the incident revealed about trust and security architecture.
Timeline of the LastPass Breach
The compromise escalated from source code to vault data, proving that updating software and scanning for third-party issues and breaches matter just as much as cryptography and cyber hygiene.
The compromise occurred in two stages in August and November of 2022. Statements from the company included releases in August 2022, December 2022, and March 2023, following forensic analysis.
What Was Exposed?
- August 2022: Bad actors compromised a LastPass developer’s account, which provided the attackers access to source code repositories, cleartext embedded credentials, and internal system secrets.
- November 2022: Using insights from the first breach, the attackers accessed a DevOps engineer’s personal computer through a vulnerable third party software package and information available from a third-party data breach. This gave them access to cloud storage, customer metadata, and backups of customer vault data.
Encrypted (but stolen):
- Passwords
- Usernames
- Secure notes
Unencrypted:
- URLs
- File paths to installed LastPass Windows or macOS software
- Some cases involving email addresses
- IP addresses
- Telephone numbers
Individuals who reuse multiple passwords across sites and applications are at increased risk for credential stuffing, while those who use weak passwords are at risk for brute force attacks. The breach at LastPass is a reminder that using password managers isn’t a silver bullet and still requires users to exercise password best practices.
Why This Breach Was So Alarming
Stolen credentials are almost always cause for alarm. But this breach also exposed fundamental issues in password manager security. Customers rely on service providers like LastPass to secure their most sensitive information. But even a company built with a foundational understanding that security is a top concern will have some residual risk.
Security-minded organizations have human error, which can cause or exacerbate breaches for instance. And according to Verizon’s 2025 Data Breach Investigations Report, the human element remains a top vector for breaches and leaks in 2025: Humans were responsible for a majority of events Verizon reviewed for its 205 report, to which SecurityScorecard is a proud contributing organization.
Five Critical Lessons for 2025
The LastPass breach remains a masterclass in what to avoid and what to strengthen:
- Assume vaults will leak: Use password best practices even while storing them in a password vault or manager in case of breach.
- Use strong master passphrases: Use long, complex passwords with approximately 16 characters, which make them harder to crack.
- Verify zero knowledge architecture: Ensure that providers use zero knowledge architecture, which allows the provider to verify identity, but not access specific information, such as the content of master passwords.
- Secure DevOps infrastructure: Endpoint protection, access control, and audit logging are mandatory for high-privilege users. Ensure frequent updates and regular patching cadence to prevent hackers from exploiting known and patchable vulnerabilities.
- Tighten Bring Your Own Device (BYOD) programs: Formalize remote work and Bring Your Own Device (BYOD) policies to mitigate risk.
The Role of Password Managers in Cybersecurity
Despite the breach, password managers remain essential for:
- Sharing credentials securely across teams
- Integrating with identity providers and SSO platforms
- Managing cloud and infrastructure credentials for DevOps teams
But these benefits come with concentrated risk. A vault breach doesn’t affect one person at a time. It can affect entire organizations, and therefore a cascade of entities across the digital supply chain.
SecurityScorecard tracks these risks across digital ecosystems in several ways, including by using:
- Leaked Breach Records Service (68 terabytes of compromised credentials inform our penetration testing and analysis of how hackers break into organizations)
- DNS sinkhole telemetry from 14 million infected IPs
- Analysis of exposed applications
When the Password Manager Is the Breach
Although security professionals often advise individuals and companies to use password vaults and managers, LastPass shows that they can become a single point of failure, which can in turn lead to a cascading series of issues for users and companies alike. In this case, the hack took place in two distinct steps, allowing the hackers to access sensitive information and steal highly sensitive information.
But those hackers aren’t alone in targeting passwords. Numerous Advanced Persistent Threat actors (APTs) with nation-state backing (for instance, APT29 or APT41) rely on stolen credentials to appear as legitimate users, fly under the radar, and gain access to networks. They can execute malicious payloads to achieve their goals and steal passwords—or breaches can hand them the credentials they want, with little to no effort on their part.
SecurityScorecard’s Supply Chain Detection and Response (SCDR) helps to:
- Surface password reuse risk across your third-party ecosystem using leaked credential telemetry
- Misconfigured password platforms with exposed services
- Open ports or leaked vault metadata
As the LastPass incident underscored, visibility into vendor or third-party behavior is as critical as ensuring your own controls.
Transform Third-Party Risk into a Supply Chain Resilience
With SecurityScorecard’s Supply Chain Detection and Response (SCDR), gain actionable insights into your vendors’ security postures. Our solution empowers you to make informed decisions, ensuring compliance and strengthening your supply chain’s cybersecurity.
