Lastpass breach included customers’ encrypted vaults

Evidently the breach Lastpass suffered back in August is much more severe than initialy thought:


glad that I have deleted my account there when I moved to 1password 2 years ago

I think “encryption” and “zero-knowledge encryption” get thrown around like they’re easy to properly implement and manage. It’s not if, but when for some of these companies/applications and I think we tend to have a false sense of security.

1 Like

This is why I think it’s a bad idea to use any password manager that can be accessed via a website. The internet and security don’t go together. It’s why I won’t use 1 Password, I don’t want my vaults where hackers prowl.

1 Like

But does your local password manager run on an air gapped machine?

I currently use a web based password manager (Bitwarden), but this gives me pause.

A local password manager could be compromised just like a web password manager, but it’s less of a target. Hacking 1Password provides the hackers with an abundance of riches. Somehow hacking my local computer will get them access to my personal accounts, but that’s a lot of effort for much less gain.

1 Like

No it doesn’t. Nor does it necessarily need to do so. There is a huge difference between your actual data being accessible by a website and having an encrypted vault sitting on dropbox or icloud.

Hackers are probably not as interested in a single vault on someone’s personal cloud storage. But Lastpass, 1 Password and other website facing password managers are the biggest prize. They open the doors to millions of accounts.

1 Like

That’s not an unreasonable point of view and I won’t argue against it too terribly vigorously, because I’m not completely convinced that it’s wrong. However, I will share that in my professional experience the amount of data breached resulting from compromised endpoints (individuals’ devices) is vastly greater than what results from breaches at cloud services. We don’t hear about it because it’s almost never reported.

People tend to overestimate their ability to maintain the security for their personal devices while greatly underestimating the the likelihood that they’ll be targeted. They’re kind of right: They probably won’t be individually targeted, but these days attacks are highly automated and attacking millions individual users is as easy as attacking one.

I’m not saying that cloud services are without risks, but experience tells me that individual systems are not at all safe anymore (they never really were, but the nature, methods, and capabilities of our adversaries has greatly evolved over the past decade).


I tend to agree with @ACautionaryTale: It is quite an effort to keep local devices and my network safe while being able to access everything from everywhere. I am still in the “cloud camp” and I am confident in Bitwarden (worth reading):

  • E2E, all encryption is done locally,
  • 2FA for accessing my account enabled (I use a YubiKey AND Authy as second factors, I am planning to change that to just YubiKeys in the near future)

There’s no difference at all. Both are encrypted vaults available via a web page. Both Dropbox and iCloud have websites.

iCloud and Dropbox are as big targets as 1password. In iCloud’s case, much bigger.

1 Like

I probably wasn’t clear in what I meant. Gaining access to 1 Password through the website compromises the vaults security, because the eco-system can decrypt vaults. Gaining acces to dropbox and finding a 1 Password vault doesn’t get you any closer to decrypting it.

I’m fairly certain that the decryption happens only on your local device even when you’re using a web client to access your vault. 1Password does (or at least should) not have the ability to decrypt your stored secrets for any access method.

(Edit to add: Giving a browser process access to your master password is probably not an invalid concern though, but that doesn’t weaken the inherent security of the service unless you choose to use a browser based access method that requires such a thing)

1 Like

You may be right, but I still don’t trust my most most sensitive data where it can be accessed via a web browser. :man_shrugging:

That is correct, does not have the ability to decrypt users vaults.

True. While “they” may not be targeted their devices are. For example In the last few years both QNAP and Synology devices have been the target of ransomware. If large corporations are no longer able to provide their own security what’s the odds that individuals and small businesses can?

“Deloitte’s survey of more than 500 IT leaders and executives reveals that security and data protection is the top driver. With 58 percent of respondents ranking it No. 1 or 2, security is top-of-mind for everyone, from C-suite IT executives and senior leaders to IT managers and developers.”

August 26, 2019.

“About 44% of traditional small businesses use cloud infrastructure or hosting services. That’s compared to 66% of small tech companies and 74% of enterprises. There is one more thing. The public cloud will host 63% of SMB workloads and 62% of SMB data within the next year.”

Oct 21, 2022

1 Like

Perhaps. But I doubt a hacker is specifically looking for (for example) Keepass vaults when hacking iCloud. With 1Password/LastPass it’s clear what they’re getting and they can target brute force attacks accordingly. With iCloud it’s a two step process.

LastPass have stored a lot of unencrypted data… so for example a hacker can tell which sites a user has accounts on. That in itself is a massive breach of privacy.

That is a good read and impressive. I couldn’t see specifically whether they encrypt e.g., website addresses or if it is just the password and other associated notes, but it seems to be implied. If so, I’m a lot less concerned as I think brute force attacking my passphrase would be a sufficient challenge, at least for now.

This does remind me to review data I’ve left hanging around on the internet. For example, I abandoned an Evernote account a while back, but left the account in case I returned at some point, data included. I’ve just gone in to delete the account. I’ll do the same for other services (as far as I can remember!) which I’ve tried and discarded.


I would be willing to bet quite a large number of beers that they absolutely do look for exactly such things (among many other things of “high” value). The sophistication of endpoint attacks has become astoudingly high and that (literally) keeps me up at night.


The folks at 1Password seem to agree with that: