LastPass and the lesson in secrets management: what happened and what it means
The 2022 LastPass breach became one of the most discussed incidents in credential management. I look at what happened and what conclusions matter for business.
At the end of 2022 LastPass disclosed details of a breach that turned out to be significantly more serious than the initial reports suggested. Attackers obtained access to encrypted user password vaults. The details emerged gradually, and by early 2023 the picture was clear enough to draw conclusions.
I do not normally analyse specific incidents for their own sake, but this one raises questions that matter for any company - regardless of whether it used LastPass.
What happened
Attackers gained access to the development environment through a compromised developer account, and then used that to attack the production environment. Encrypted user password vaults were stolen, along with metadata: site URLs, usernames, and email addresses.
The encrypted vaults are protected by the user's master password. If the master password is weak or reused, a brute-force attack becomes realistic.
This incident demonstrated several things at once: the vulnerability of the path from development environment to production, a problem with access segregation, and the limitations of the model "we trust the provider to store our secrets".
Why this concerns any business
Most companies store critical secrets somewhere. Database passwords, API keys for external services, cloud infrastructure credentials. The question is not whether you have these secrets - everyone does. The question is how they are stored and who has access to them.
The typical picture I see: some secrets are in the team password manager, some live in people's heads, some are in text files on developer machines, some are hardcoded in configuration files that occasionally end up in a code repository.
This is not a paranoid description. It is a realistic description of most companies with a small or medium IT team.
What to check
Three questions I recommend asking your IT team:
The first: where are the keys and credentials for critical systems stored - cloud, databases, payment infrastructure? This should be a concrete answer, not "with the relevant people".
The second: what happens if an employee who has access to these secrets leaves today? Is there a process for rotating credentials when someone leaves?
The third: does the company practice least-privilege access - meaning each service and each person has access only to what they actually need, and nothing more?
A practical minimum
The LastPass incident does not mean password managers are bad. They are significantly better than the alternatives for most companies. But it is a reminder of a few things.
The secrets for production systems should not live in the same places as employee personal passwords. For production systems there are specialised solutions - vault systems that provide access auditing, secret rotation, and least-privilege enforcement.
And the main point: knowing where your critical secrets live is basic hygiene, not paranoia.