As a password manager, security is our top priority. We strive to ensure our customer’s most sensitive information is kept private and safe, at all costs. As a software company, bugs and issues arise naturally and while they’re uncomfortable and concerning, they’re part of the natural process that make LastPass as secure as it is.
Has LastPass ever been hacked?
LastPass experienced a single security incident in our 10-year history, back in 2015. Bottom line, no encrypted vault data was compromised. Even under this most extreme test, our systems performed as designed and protected the encrypted vault data of our users; furthering our conviction and commitment to our 'zero knowledge' security model in which LastPass never has your master password or access to the data within your vault.
When the incident was discovered, we immediately took steps to detect the network breach, adding the requirement of two-step verification for all users within 1 hour of detecting the breach. We also installed HSMs at our data centers to further lock down SAML keys and user password hints.
While a security incident is not ideal for any company, the incident was quickly remediated, our product strengthened because of it and we are proud to have a strong track record of transparency with our community.
How is LastPass safe from being hacked?
LastPass operates on a zero-knowledge security model. Sensitive data stored in LastPass is encrypted at the device level with AES-256 encryption before syncing with TLS to protect from man-in-the-middle attacks. We utilize industry best practices to protect our infrastructure, including regularly upgrading our systems, as well as utilizing redundant data centers to reduce the risk of downtime or a single-point-of-failure. LastPass is market-tested by over 43,000 companies, including Fortune 500 and leading tech enterprises.
How will I know if LastPass has been hacked?
LastPass values transparency in its incident response procedures. Our team reacts swiftly to reports of bugs or vulnerabilities and communicates openly with our community. Communication with users will depend on the incident and those of the highest priority will include emails, blog posts, and social posts. We continue to earn our user’s trust by looking to our fellow community to challenge our technology, reacting promptly, and communicating transparently.
What are you doing to prevent LastPass from being hacked in the future?
It goes without saying that security is fundamental to what we do. As an industry best practice, LastPass conducts at least one annual pen test to help us strengthen our product and demonstrate the security of LastPass as vetted by a reputable 3rd party. We also participate in a bug bounty program, called BugCrowd, where white-hat researchers responsibly disclose bugs so we can improve the product and further harden it against attacks. As the first password manager to offer a bug bounty program, LastPass has built long-standing relationships with many researchers around the world, which only serves to benefit our customers. We welcome contributions from all researchers via our bug bounty program.
In addition to a laser focus on our own security, we also report on data breaches that occur to other companies in an effort to keep our community informed and protected. As a leader in password security, we want to ensure individuals and business clearly understand the impact of third-party data breaches and what steps they must take to mitigate risks for themselves.