The Breach That Exposed Everything
In December 2022, LastPass disclosed that attackers had accessed the company's backup systems and obtained encrypted password vaults for 33 million users.
The attackers didn't need LastPass's encryption keys because LastPass CEO Karim Tousi later admitted in a public statement that the company had created a backup of production servers to a non-production environment, and that backup was not encrypted with the same encryption keys as production.
In other words: LastPass backed up customer vaults to a server that was less secure than production.
Attackers exploited this mistake and copied the entire vault backup.
While the individual vault files were encrypted with master passwords, the vault files themselves contained metadata and email addresses that revealed:
- Which customers used which services
- Organization structure (CEO, CFO, IT teams had entries together)
- Which companies were managing which critical services
For cyber criminals, this intelligence was as valuable as the passwords themselves.