No, LastPass Didn't Expose Your Passwords

When you heard that LastPass got hacked, did your heart sink? Did you imagine that all your accounts and passwords had been captured by random hackers? If so, I have good news: Your passwords are safe. The breach involved the kind of customer information that any site must track, not the specialized and thoroughly encrypted vault that holds your passwords.

So, Just What Was Stolen in the LastPass Breach?

Picture your password vault as a bank safe deposit box full of valuables. Having the box itself stolen would be disastrous. The current hack is more like having someone take your picture as you enter the bank. There’s some risk to your privacy, but none to the stored valuables.

It’s important to distinguish the code that makes up the LastPass website from the encrypted database that holds your passwords. A website is necessarily exposed to the outside world—if it weren’t, nobody could visit it. That exposure means that any security hole can potentially be exploited.

Your password vault, on the other hand, opens only with your strong master password. Zero Trust security architecture, standard for password management tools, means the company can’t get at your data, period. The feds can’t compel LastPass to reveal your passwords. A disgruntled employee can’t steal them. Only you can open the vault.

As you may remember, LastPass also suffered a website security breach in August 2022. A hacker gained access and retained it for four days, picking up some LastPass source code and some proprietary technical data, but no passwords. According to a statement from the company, the just-revealed breach built on information stolen in the previous breach.

LastPass hasn’t specified precisely what information was captured in the breach, calling it “certain elements of our customers’ information.” Given that the breach occurred on a third-party cloud storage service used by LastPass, its parent company Goto, and others, I suspect the hackers captured customer information such as email addresses, snail-mail addresses, and possibly some encrypted credit card information. Once again, this hack didn’t come near your passwords.

We’ve Seen Worse

As noted, your passwords exist in an encrypted online database, decrypted only when you need to use them on your local device. This does mean that your password exists locally in unencrypted form, at least temporarily. A hack in 2019 took advantage of this fact, subverting the LastPass Chrome extension to draw out the most recent set of login credentials. The security team at LastPass quickly patched extensions for Chrome and Firefox and gave a thorough examination to extensions for other browsers.

According to the researcher who discovered the flaw, a hacker can code a website so it fetches the most recent entry from LastPass, though this could require the victim to click the gimmicked page several times. It’s not clear whether this theft would include the URL matching the login credentials, though that information could likely be obtained by other means.

This is decidedly worse than the recent security event, in that a malefactor could gain access to one set of login credentials. But unless you’ve used the same password across multiple sites (bad idea!), that’s just one account endangered. All the other passwords stored in your vault are safe. The vault itself remains intact.

Should You Use a Password Manager?

So, is it time to give up on fancy password managers and go back to keeping a spreadsheet with your passwords, or a paper notebook? Not really. Written passwords can be stolen, and the need to type them in manually means you’ll be tempted to keep them unreasonably short and easy. You can copy and paste passwords from a spreadsheet, true, but even if you put them in Google Sheets, you won’t have the cross-platform convenience of a password manager. Also, do you really trust your passwords to Google’s security?

When LastPass imposed limits on the use of its free edition, many users jumped ship. Given that your passwords weren’t actually exposed in this latest breach, is there any real reason to switch password managers? Perhaps there is. LastPass was among the first password management programs, and it’s extremely well known, so it’s a big target. Conceivably you might be safer choosing an effective but less famous password solution. You can even get excellent free password management from PCMag Editors’ Choice winner Bitwarden.

Any password manager worth its salt uses Zero Trust architecture for password storage. But you need to hold up your own side of the security partnership by selecting a strong master password, something that you can remember but that nobody else will guess. Be sure, too, to engage your password manager’s multi-factor authentication system. That way even a crook who steals your long, strong password won’t be able to gain access.

Hackers are gonna hack, and sometimes they’ll successfully breach even a password manager’s website. Just as with any other data breach, they might walk away with some customer information. But as for the passwords themselves, those are locked up tight.

About Our Expert

Neil J. Rubenking

Principal Writer, Security

My Experience

When the IBM PC was new, I served as the president of the San Francisco PC User Group for three years. That’s how I met PCMag’s editorial team, who brought me on board in 1986. In the years since that fateful meeting, I’ve become PCMag’s expert on security, privacy, and identity protection, putting antivirus tools, security suites, and all kinds of security software through their paces.

Before my current security gig, I supplied PCMag readers with tips and solutions on using popular applications, operating systems, and programming languages in my "User to User" and "Ask Neil" columns, which began in 1990 and ran for almost 20 years. Along the way, I wrote more than 40 utility articles, as well as Delphi Programming for Dummies and six other books covering DOS, Windows, and programming. I also reviewed thousands of products of all kinds, ranging from early Sierra Online adventure games to AOL’s precursor Q-Link.

In the early 2000s, I turned my focus to security and the growing antivirus industry. After years of working with antivirus, I’m known throughout the security industry as an expert on evaluating antivirus tools. I serve as an advisory board member for the Anti-Malware Testing Standards Organization (AMTSO), an international nonprofit group dedicated to coordinating and improving testing of anti-malware solutions.

The Technology I Use

Much of the testing I do, particularly testing with real-world ransomware, is just plain dangerous. To perform such tests safely, I sequester them inside virtual machines managed by VMWare Workstation. For cross-platform testing, I use a MacBook Air, a Google Pixel 4, and a 6th-generation iPad.

I rely on my Delphi coding skills to create and maintain small applications. These include programs to check whether an antivirus correctly handled the malware it detected, launch dangerous URLs and record the security program’s reaction, and analyze the malware that I collect for use in testing. I also wrote a tiny browser and text editor for use in testing security apps that have predefined reactions for known products.

I do my writing and research on a Dell OptiPlex desktop, relying on Microsoft Word (my fingers know all the shortcuts). Many of my articles include charts and analysis; Excel is my go-to for those. When work hours end, though, I escape the bounds of Microsoft and Windows. There’s an iPhone in my pocket, I relax with my oversized iPad, and my Kindle Oasis is always loaded with the best science fiction and fantasy.

Read the latest from Neil J. Rubenking

Read full bio