LastPass two-stage breach and customer vault theft (2022)

In 2022, the password manager LastPass suffered a two-stage breach that became one of the most consequential security incidents in the consumer-software industry. An August 2022 compromise of a single developer's corporate laptop gave attackers source code, technical documentation, and internal secrets. Months later, the attackers used that knowledge to compromise a second engineer's personal computer, capture credentials with a keylogger, and reach the backups of customer password vaults.

What happened

Stage 1 — 8 August 2022. Attackers compromised a LastPass software engineer's corporate laptop to reach a cloud-based development environment. They exfiltrated 14 of approximately 200 source-code repositories, internal technical documentation, and internal system secrets. Critically, the haul included an encrypted backup key used to protect customer-data backups stored in Amazon S3, plus the MFA / Federation Database backup, with authenticator seeds and a split-knowledge component (the K2 "key") used for federation.

In September 2022, LastPass publicly stated that no customer data or password vaults had been accessed. That statement was true at the time — but the attackers were not done.

Stage 2 — September–October 2022. Using the technical knowledge gathered in the August intrusion, attackers compromised the personal computer of a senior DevOps engineer (one of only four employees with the keys needed to access certain production secrets). A keylogger installed on the personal device captured the engineer's credentials. With them, the attackers reached an internal vault holding further keys — and from there a backup database and copies of customer password vaults.

LastPass disclosed the second incident on 30 November 2022. By 22 December, the company acknowledged that some customer vaults had been exfiltrated. The vaults were encrypted, but the protection ultimately depended on the strength of each customer's master password — and any customer with a weak master password was now exposed to offline brute-force.

In March 2025, U.S. federal investigators publicly linked LastPass-stolen vault contents to a $150 million cryptocurrency theft — the kind of downstream consequence security researchers had warned about for years.

Impact

• Source code for 14 LastPass repositories exfiltrated.
• Backup database and customer password vault copies stolen.
• Some unencrypted URL fields and encrypted username/password fields in vaults exposed.
• MFA / Federation Database backup stolen, including authenticator seeds.
• $150 million cryptocurrency theft later attributed to the LastPass vault stolen data.
• Triggered industry-wide reckoning about password-manager architecture and master-password security.

Why it matters

LastPass changed how the security industry thinks about single-point-of-failure SaaS. A password manager holds, by design, the most concentrated identity data a consumer owns. The two-stage chain — corporate laptop → developer's personal computer with a keylogger → production backup keys — also highlights the personal-device blind spot in most enterprise security programmes.