Skip To Content

Hackers Expose LastPass Security Gaps

News Update

Think about all the passwords that school employees have to keep up with for applications and software such as Skyward, Canvas, and Office365. For security reasons, passwords should never be written down. That’s why many districts invest in password management tools, which create one master password that controls employees’ individual passwords. If your district uses a tool called LastPass, you need to know about recent cyberattacks that took advantage of the product’s security gaps.

What Happened?

LastPass built a reputation as a reliable organization that uses military-grade AES 256-bit encryption on users’ master passwords. In 2019, the company identified a vulnerability on their Web portal. The LastPass security team quickly patched the vulnerability, and there were no reports of data theft or exposure. In August and November 2022, however, LastPass suffered two large data breaches.

The breaches appear to have been the result of poor third-party vendor security, but a large amount of customer data was stolen. LastPass tried to reassure customers that the data was in big, encrypted blocks. Because of the AES-256 encryption, it would be nearly impossible for hackers to decode.

LastPass didn’t know that metadata associated with saved websites underneath each user’s master password was not encrypted. So, hackers could see saved usernames, website addresses, and passwords stored in browsers when users entered that information into LastPass.

Then in September 2023, cybercriminals emptied the crypto wallets of several prominent cryptocurrency traders. The only common denominator? The victims were all using LastPass master passwords. It is now generally accepted hackers are decrypting stolen data blocks.

What Does it Mean to You?

LastPass strongly recommends customers follow its remediation steps for individual and business users. Work with your IT department to determine whether your organization has been targeted and follow LastPass’ suggested protective measures to ensure you aren’t a secondary victim. If you're exploring other password management tools, make sure you vet your vendors.

Lucas Anderson headshot
Lucas Anderson
Privacy and Cyber Risk Consultant

Lucas Anderson joined TASB Risk Management Services in 2019, bringing more than a decade of experience in cybersecurity, network administration, and information technology. He advises districts on preemptive mitigation against ongoing and emerging cybercriminal threats targeting the education sector, as well as cybersecurity-related regulatory compliance. 

Over his career, Anderson has supported public and private organizations, including Booz Allen Hamilton, the White House Office of Management and Budget, the Department of Defense, and the Texas Association of Counties.