On December 22, 2022, password vault software vendor LastPass revealed that they were the victim of a breach and customer password vaults were obtained by an unauthorized party.

The impacted customer data includes encrypted data (passwords, usernames, notes) and unencrypted data (website addresses). Accessing the encrypted data requires the user’s master password. The risk of a user’s passwords being revealed is dependent on the strength of each user’s master password.

LastPass believes that its encryption will ensure encrypted data remains secure. At Agio, we’re concerned that data could eventually be decrypted. To that end, it’s important for all LastPass users to take action to protect themselves.

What Actions Should You Take?

We recommend informing employees about the breach and sharing the following advice for anyone who uses LastPass personally. Recommendations are largely the same for personal and enterprise customers.

  • Change your LastPass master password immediately
  • Change all passwords for accounts you store in LastPass
  • Prioritize changing passwords for your most critical accounts first, like banking, email, and any other site that contains sensitive information.
  • Ensure you are using MFA or two-factor authentication on all critical accounts

Should You Change Password Manager Vendors?

Truth be told, all cloud-based password managers face the same type of risks. No security control is a 100% guarantee against compromise, but the risk password managers mitigate, coupled with the convenience they provide, is a net security improvement. Layering controls by adding two-factor authentication is an important aspect of a mature security strategy.

When it comes to moving from LastPass to another password management solution, each company or individual must make their own decision considering their risk tolerance against the various factors at play.

Here are some considerations for organizations who are thinking about moving away from LastPass:

Your organization may choose to leave LastPass because

  • They were breached, and you lost control of your password vaults
  • Investors, insurers, and other counterparties may look unfavorably on you for continuing to use LastPass after a breach
  • You lost trust in LastPass after their “damage-control-heavy” communication
  • The attacker has been continuously compromising LastPass since August; how do you know they’re not going to come back in a few months?

Your organization may choose to stay at LastPass because

  • The risk profile of any cloud-based password manager is the same. (Ex: You’re no more secure at another vendor than you are at LastPass.)
  • All cloud-based password managers are big targets. LastPass was already breached; who’s to say the vendor you move to isn’t next?


To protect your organization’s data, Agio firmly believes in following the “Brilliance in the Basics,” as well as implementing a robust detection & response program that watches for security gaps and prevents attacks. Agio’s vCISOs support organizations when it comes to making security decisions like these every day. Contact us, we’ve got you covered.

See also  More Stringent PCI Requirements and Complexity Coming March 2024