Anatomy of a Breach

Anatomy of a Breach: LastPass — When the Password Vault Was Breached

> series: anatomy_of_a_breach —— part: 078 —— target: lastpass —— stolen: auth_hashes_email_addresses —— trust_model: challenged<span class="cursor-blink">_</span>_

Hedgehog Security 30 June 2015 12 min read
data-breach lastpass password-manager authentication master-password trust series
Breach #078

The tool that protects all your passwords was itself breached.

On 15 June 2015, LastPass disclosed that it had discovered and blocked suspicious activity on its network. The investigation revealed that attackers had accessed email addresses, password reminders, server per-user salts, and authentication hashes. LastPass stated that the encrypted password vaults — the core data that users trusted LastPass to protect — were not accessed, and that the master password hashing (using PBKDF2-SHA256 with 100,000 iterations) would make brute-forcing the authentication hashes extremely difficult for users with strong master passwords.

The 2015 breach was, in isolation, well-handled — LastPass detected it quickly, disclosed transparently, and the encrypted vaults were not stolen. But it raised a fundamental question that the security industry had been debating since password managers became mainstream: what happens when the vault that holds all your passwords is the target? The question would be answered definitively in 2022, when LastPass suffered a far more serious breach in which encrypted vaults were stolen — and the security of users' master passwords became the only defence.

The Trust Paradox
Recommended

Not sure where to start?

We'll scope your test for free and tell you exactly what you need. No obligation, no hard sell.

Free Scoping Call

Centralised password management — essential, but a single point of failure.

Password managers solve the credential reuse problem that has powered breaches throughout this series — from LinkedIn to Adobe to the credential dump summer. By generating and storing unique, strong passwords for every service, they break the reuse chain. But they create a new risk: the password vault becomes the single point of failure. If the vault is compromised, every credential it contains is at risk.

Master Password Strength Is Everything
When a password manager is breached, the security of the encrypted vault depends entirely on the strength of the master password. Users with strong, unique master passwords are protected. Users with weak master passwords are exposed. This is why <a href="/cyber-essentials">Cyber Essentials Danzell</a> emphasises strong authentication — and why MFA on the password manager itself is critical.
MFA on the Vault
LastPass encouraged users to enable MFA following the breach — adding a second factor to the master password before the vault could be accessed. MFA on a password manager provides defence in depth: even if the master password is compromised, the second factor prevents access. Our <a href="/penetration-testing/web-application">application testing</a> verifies MFA implementation on critical systems.
Password Managers Are Still Essential
Despite the breach, the security calculus remains clear: using a password manager with a strong master password and MFA is dramatically more secure than reusing passwords across services. The alternative — password reuse — has fuelled the majority of breaches in this series. Our <a href="/blog/from-the-hacker-desk-cracking-passwords-afternoon">password assessments</a> demonstrate why unique passwords are essential.
Enterprise Password Management
For organisations deploying enterprise password management, the LastPass breach underscored the importance of evaluating the password manager's own security posture, encryption architecture, and breach history. <a href="https://www.socinabox.co.uk">SOC in a Box</a> monitors for credential compromise indicators regardless of how credentials are managed.
Lessons

Protect the tool that protects your passwords.

The LastPass breach teaches that security tools are themselves targets — and must be secured with the same rigour as the assets they protect. For organisations, this means: enable MFA on password managers, ensure master passwords are strong and unique, evaluate the security architecture of any centralised credential store, and maintain the ability to rotate all credentials if the vault is compromised.

Cyber Essentials mandates strong authentication controls. Our penetration testing assesses credential management practices and enterprise password vault security. Dark web monitoring through SOC in a Box detects when your credentials appear in breach datasets. And UK Cyber Defence provides incident response when credential compromise is detected.

Credential Security

Even the password vault can be breached. Is your credential management resilient?

<a href="/cyber-essentials">Cyber Essentials</a> mandates MFA. Our <a href="/penetration-testing">penetration testing</a> assesses credential management. <a href="https://www.socinabox.co.uk">SOC in a Box</a> monitors for credential compromise.

Commission a Security Assessment Next: Hacking Team
Next Step

Not sure where to start?

We'll scope your test for free and tell you exactly what you need. No obligation, no hard sell.

Free Scoping Call
Keep Reading

Related Articles

Anatomy of a Breach 28 February 2011

Anatomy of a Breach: RSA SecurID — The Attack That Compromised the World's Authentication Tokens

Breach #026. In March 2011, RSA Security — the company behind the SecurID two-factor authentication tokens used by governments, defence contractors, and corporations worldwide — disclosed that an APT had compromised its systems and stolen data related to SecurID token generation. The stolen 'seeds' potentially compromised every SecurID token in deployment. RSA ultimately replaced 40 million tokens. The breach that proved your security is only as strong as your security vendor.

data-breach rsa
14 min read
Anatomy of a Breach 30 April 2024

Anatomy of a Breach: AT&T — 73 Million Customer Records from a 2019 Breach Surface on the Dark Web

Breach #184. In March 2024, AT&T confirmed that a dataset containing the personal information of approximately 73 million current and former customers had been published on the dark web. The data — including names, addresses, phone numbers, dates of birth, Social Security numbers, and encrypted AT&T account passcodes (which security researchers quickly cracked) — appeared to originate from a breach dating to approximately 2019. AT&T had previously denied the data was from its systems. The breach demonstrated that stolen data surfaces years later, and that denial does not make a breach disappear.

data-breach att
12 min read
Anatomy of a Breach 30 April 2023

Anatomy of a Breach: Western Digital — My Cloud Offline for Two Weeks and 10TB of Internal Data Stolen

Breach #172. In April 2023, Western Digital — one of the world's largest data storage companies — disclosed that attackers had breached its network and stolen approximately 10 terabytes of internal data. The breach forced Western Digital to take its My Cloud consumer cloud storage service offline for approximately two weeks, locking millions of users out of their personal data. The attackers — a group calling themselves ALPHV/BlackCat — published screenshots of internal emails, videoconference screenshots, and evidence of access to Western Digital's SAP backend and internal tools. A company whose entire business is storing and protecting data could not protect its own.

data-breach western-digital
12 min read
All Posts Get in Touch