Published 14 January 2025

By Siebe Barée

Why you should stop using LastPass yesterday!

Discover why LastPass's security breaches are just the tip of the iceberg. Learn how modern secrets management can protect your applications and why password managers aren't enough.

case study
data breach
security
Why you should stop using LastPass yesterday!

The impact of credential theft reached a staggering €51 billion in 2023. Yet enterprises continue using compromised solutions, storing their most sensitive data in systems with proven security failures. LastPass, despite multiple breaches, remains one of the most-used password managers in the world.

What is a password manager?

Password managers are encrypted vaults that store and manage your credentials. Instead of reusing passwords or storing them in plaintext, these tools generate strong, unique passwords for each service while encrypting them behind a master password.

Modern password managers offer features beyond basic storage. They provide end-to-end encryption to ensure your passwords are secure from the moment they're created until they're used. Cross-device synchronization allows you to access your passwords seamlessly across all your devices. Built-in password generation helps create strong, unique passwords for each service. Secure sharing capabilities let you safely share credentials with trusted contacts when needed. Browser integration makes it easy to automatically fill passwords on websites, while two-factor authentication support adds an extra layer of security.

For businesses, password managers provide additional critical features that enhance security and productivity. Access control and user management allow administrators to control who has access to which passwords. Password policies can be enforced across the organization to maintain security standards. Activity logging helps track who accessed what and when. Emergency access procedures ensure business continuity even if key personnel are unavailable. Team password sharing facilitates secure collaboration while maintaining control over sensitive credentials.

Why you should stop using LastPass

If you're using LastPass, you've already made a step in the right direction. Using any password manager is better than reusing passwords or storing them in plaintext. However, LastPass's track record reveals concerning patterns of security failures and lack of transparency.

The false sense of security

LastPass markets itself as a "zero-knowledge" platform, implying they can't access your data. While technically true for password encryption, this claim masks significant vulnerabilities in their implementation.

The critical flaw? Website URLs and account data are stored in plaintext. When LastPass was breached, attackers didn't just get encrypted data, they got detailed maps of users' digital footprints. This means attackers know:

  • Which banking services you use
  • What cryptocurrency exchanges you access
  • Your email providers
  • Your enterprise software subscriptions
  • Internal company tools and URLs

This information alone is valuable for targeted attacks. An attacker knowing you have accounts at specific financial institutions can craft highly effective phishing campaigns or attempt credential stuffing attacks.

The data breaches

2015: The First Warning Sign

In June 2015, LastPass experienced a significant security incident where unauthorized access was detected on their network. The company reported that email addresses, password hints, and authentication hashes of master passwords were compromised. While LastPass stated they detected and blocked the suspicious activity, the incident raised early concerns about the platform's security measures. This event marked the first publicly disclosed security breach in the company's history since its launch,

2021: A Second Breach

While LastPass wasn't directly breached in 2021, concerning security practices came to light when researchers discovered third-party trackers in their Android app. In February 2021, security analysis tool Exodus Privacy identified seven tracking services embedded in the LastPass Android application, raising serious privacy concerns. The discovered trackers included major analytics platforms like Google Analytics, Segment, and AppsFlyer, services typically used for marketing and user behavior analysis.

LastPass defended the inclusion of these trackers, claiming they were used only for collecting application performance metrics, crash reports, and usage statistics to improve the product. They also pointed out that users could disable analytics collection through the app's advanced settings.

However, this response did little to address the fundamental security concerns. The incident highlighted a concerning prioritization of marketing analytics over security principles, damaging LastPass's credibility among security professionals and privacy-conscious users. For a product whose primary purpose is protecting sensitive data, the willingness to compromise security for marketing insights raised serious questions about their security-first commitment.

2022-2023: The Third Breach

The 2022-2023 breach was catastrophic. What started as a "small" incident in August 2022 evolved into one of the most significant security breaches in password manager history. Here's what actually happened:

Initially, LastPass reported that source code and technical information were stolen from their development environment. Bad enough, right? But in December 2022, they dropped the real bomb: attackers had accessed their cloud storage and stolen encrypted password vaults containing customer data. This time, hackers accessed LastPass customer data, including email and IP addresses, telephone numbers, and names. On top of this, certain kinds of vault data were exposed, including usernames and passwords for some online accounts.

The aftermath of the 2022 breach continued to unfold throughout 2023, revealing increasingly concerning details about the incident's scope and impact. Early 2023 brought revelations that the breach extended beyond LastPass itself. Their parent company GoTo disclosed that attackers had compromised multiple services in their portfolio through a third-party cloud storage breach, including encrypted backups and potentially their decryption keys.

A particularly alarming detail emerged about how attackers gained access: they successfully targeted one of only four senior developers with access to LastPass's corporate vault. By exploiting a vulnerability on the developer's personal computer and installing a keylogger, they captured the master password and gained full access to critical company systems. Read more about the breach here.

The real-world impact became clear in October 2023 when hackers leveraged stolen credentials to execute a $4.4 million cryptocurrency heist. The attackers had obtained crypto wallet seed phrases from the breached vaults, enabling them to drain users' digital assets.

LastPass has a full list of data accessed in the 2022 hacks if you'd like to see all that was exposed due to the 2022 incidents.

Password manager for applications

While password managers excel at managing personal credentials, they fundamentally fail when it comes to application secrets. The practice of storing application secrets in password managers creates a dangerous security gap that many organizations overlook. When developers copy production database credentials or API keys from a password manager into their development environment, these secrets immediately become vulnerable. They persist in clipboard history, shell logs, and terminal sessions. Even worse, these secrets remain static until someone manually rotates them, assuming anyone remembers to do so.

The reality of modern development demands more than just secure storage. Development teams need to manage secrets across multiple environments, handle automated deployments, and maintain strict access controls. Password managers weren't designed for these use cases. This practice not only increases the risk of secret exposure but also makes it impossible to track who accessed what and when.

Secrets manager

This is where proper secrets management comes in, and it's why we built Enkryptify. We approached the problem from a developer-first perspective, understanding that security solutions must enhance productivity rather than hinder it. Modern secrets management isn't just about storing secrets securely, it's about integrating them seamlessly into your development workflow while maintaining strict security controls.

Enkryptify takes a fundamentally different approach to secrets management. Instead of treating secrets as static values to be copied and pasted, we treat them as dynamic resources that can be programmatically accessed, rotated, and audited. Our platform integrates directly with your development workflow, allowing secrets to be automatically injected into your applications without ever touching a developer's clipboard or local environment.

Our GitHub integration exemplifies this approach. Rather than manually copying deployment credentials, teams can securely inject secrets directly into their GitHub Actions workflows. This eliminates the risk of secret exposure through clipboard history or shell logs while ensuring that the right secrets are always used in the right environment. And while we currently focus on GitHub integration, our roadmap includes expanding to other major platforms based on your needs.

One of the most significant challenges in modern cloud architecture is vendor lock-in. While cloud providers offer their own secrets management solutions, like AWS Secrets Manager or Azure Key Vault, these solutions often create new silos of secrets that are difficult to manage across different platforms. This becomes particularly problematic in multi-cloud environments or when working with external services.

Enkryptify takes a platform-agnostic approach to secrets management. Our solution works seamlessly across different cloud providers and services, providing a single source of truth for all your application secrets. This means you can manage secrets for your AWS Lambda functions, Azure Web Apps, and on-premise applications all from one central location. There's no need to juggle multiple secrets management systems or worry about vendor-specific implementations.

The Future of Secrets Management

Looking ahead, we're building features that address the evolving needs of modern development teams. Automated secret rotation will ensure that compromised credentials can be quickly replaced across all environments. Audit logging will provide security teams with detailed insights into how secrets are being accessed and used. Role-based access control will allow organizations to precisely control who has access to which secrets, with granular permissions that match their organizational structure.

Making the Switch

The time to move away from password managers for application secrets is now. Each day you continue using an inadequate solution increases your risk of a security breach. While LastPass's breaches have made headlines, the real risk lies in using tools for purposes they weren't designed for.

Start by auditing your current secrets management practices. Identify where sensitive credentials are stored and how they're being accessed. Then, implement a proper secrets management solution that addresses your specific needs. With Enkryptify, you can begin this transition gradually, moving one application or team at a time to ensure a smooth migration.

Remember, proper secrets management isn't just about security, it's about enabling your team to work efficiently while maintaining the highest security standards. Ready to see how modern secrets management should work? Let us help you make the switch. Schedule a meeting with us and we'll see how Enkryptify can help your company or team. You can use Enkryptify for free!

Siebe Barée

Siebe Barée

linkedinx

Share this post!

LinkedInX

RATE THIS BLOG POST:

Don't miss a single update

Join our community of security-conscious developers. Be the first to know about new features, guides, and industry insights.

We're hard at work building the future of secrets management. Be the first to know when we launch and get exclusive benefits.

Read more

Keep pace with evolving security practices, product updates, infrastructure and other tech trends