Think Twice Before Trusting This Password Manager With Your Info

Password managers are supposed to be super helpful (not to mention super safe) ways to keep all your logins in one convenient place. That's why you should start using a password manager if you're not already doing so. Instead of jotting your logins down on a sticky note, saving them in a document on your computer, or writing them down in a list on your phone, password managers are there to do the remembering and protecting for you. That last part especially is a big factor in trusting a password manager in the first place: They're supposed to be the safest, most hacker-proof way to store your logins. But what happens when that trust gets broken? Can that password manager ever truly be trusted the same way again?

It's a question LastPass users can't help but ask after a fraction of the password manager's approximately 20 million individuals and 100,000 businesses had their personal information breached. The compromised data included names, email addresses, phone numbers, and website URLs stored by LastPass users. And while LastPass's "zero knowledge" encryption model did keep attackers from decrypting customer logins, it's absolutely a wake-up call for anyone on the hunt for a password manager they can trust or those who may want to move their data from LastPass to another option.

The U.K. Information Commissioner's Office only fined LastPass £1.2 million (or about $1.6 million) for the breach. That's a pretty measly amount in the grand scheme of things, though: less than a dollar per 1.6 million people actually impacted by the breach in the U.K. alone.

Worse for LastPass, the intrusion was actually two incidents. In the first, a hacker gained access to a LastPass employee's corporate laptop and entered the company's development environment that way. No personal user data was taken at that point, though. That changed during the second incident, when the attacker targeted a senior employee through a known weakness in a third-party streaming service. The hacker used malware to capture the employee's password, bypass multifactor authentication, and finally let the attacker reach the backup database. While it may not have done much good in this case, it's always a good idea to pay attention to the signs that your computer could be infected with malware. 

Security experts said this incident wasn't the result of one single catastrophic failure, but rather a combination of security lapses that ultimately let a hacker gain access to the LastPass backup database. But that excuse doesn't really help LastPass's case all that much. After all, systemic flaws aren't something you can just undo in a day, a week, a month, or even a year. It practically demands an overhaul from the ground up. And with this happening back in 2022 (and fines only coming through in December 2025), it makes you wonder how much work has actually been done to better secure things since.