A Breach That Unfolded in Stages
The LastPass breach of 2022 was not a single event but a cascading sequence of compromises that exploited third-party software, remote work environments, and the trust users place in password management vendors. The incident ultimately led to the theft of encrypted password vaults belonging to millions of users, with the FBI later linking the breach to over $150 million in cryptocurrency theft. For third-party risk management (TPRM) professionals, it is a textbook example of how vendor supply chain weaknesses compound over time.
Timeline of the Attack
Stage 1: The Developer Laptop (August 2022)
In August 2022, LastPass disclosed that an unauthorized party had gained access to portions of its development environment. The attacker compromised a software developer's corporate laptop, obtaining access to source code and proprietary technical information. LastPass initially stated that no customer data or vault data was accessed, and many observers treated the incident as contained.
Stage 2: The Plex Vulnerability and the DevOps Engineer (August – October 2022)
The second stage was far more damaging and revealed the true supply chain nature of the attack. Using information stolen during the first breach, the attacker targeted one of only four LastPass DevOps engineers who had access to the decryption keys for the company's cloud storage. The attacker compromised this engineer's home computer by exploiting a vulnerability in Plex Media Server, a third-party media software application the engineer had installed on their personal machine.
The Plex vulnerability (CVE-2020-5741) had been patched in May 2020, but the engineer had not updated their software. Through this vector, the attacker installed a keylogger, captured the engineer's master password, and gained access to the LastPass corporate vault and the AWS cloud storage environment containing customer vault backups.
Stage 3: Vault Theft and Disclosure (November – December 2022)
The attacker exfiltrated copies of customer vault backups, which contained both encrypted data (website usernames, passwords, secure notes) and unencrypted data (website URLs). LastPass disclosed the full scope of the breach in December 2022, acknowledging that encrypted vault data had been stolen and that attackers could potentially brute-force weak master passwords to access individual vaults.
The Aftermath: $150 Million in Crypto Theft
In the months following the disclosure, blockchain researchers and law enforcement began tracking large-scale cryptocurrency thefts that appeared linked to the stolen LastPass vaults. Victims who had stored cryptocurrency seed phrases and private keys in their LastPass vaults reported having their wallets drained. The FBI and the U.S. Secret Service investigated, and by late 2023, federal authorities had linked over $150 million in cryptocurrency theft to the LastPass breach. In February 2026, LastPass agreed to a $24.5 million settlement to resolve a class-action lawsuit brought by affected users.
| Impact Metric | Detail |
|---|---|
| Encrypted Vaults Stolen | Vault backups for approximately 25 million users |
| Cryptocurrency Losses | $150+ million linked by FBI |
| Class-Action Settlement | $24.5 million (February 2026) |
| Third-Party Vector | Plex Media Server vulnerability (CVE-2020-5741) |
| Attack Duration | August – October 2022 (undetected) |
Supply Chain Lessons for TPRM
- Personal devices as attack vectors. The breach pivoted through a DevOps engineer's home computer running unpatched third-party software. Vendor risk assessments should ask whether privileged personnel are permitted to access production systems from unmanaged devices.
- Sensitive data in password managers. Organizations that store high-value secrets (API keys, cryptocurrency seed phrases, infrastructure credentials) in a third-party password manager are placing enormous trust in that vendor. TPRM should categorize password managers as critical vendors and assess their encryption architecture, key management, and breach response capabilities.
- Cascading breach dynamics. Stage 1 enabled Stage 2, which enabled vault theft. This cascading pattern is common in supply chain attacks and underscores the need for vendor monitoring that goes beyond point-in-time assessments.
- Encryption is not a complete safeguard. While the vaults were encrypted, weak master passwords made brute-forcing viable. Third-party risk assessments should examine whether vendors enforce minimum password complexity and iteration counts for encryption.
Quantifying the Risk
A FAIR analysis of the LastPass scenario would model the loss event as having extremely high loss magnitude due to the nature of the data stored (credentials for every service a user accesses). The probability of the threat event was elevated by the remote work environment and the use of unmanaged personal devices. Organizations using the FAIR framework for vendor risk quantification should weight password management vendors heavily in their risk register, reflecting both the breadth of data they hold and the catastrophic consequences of a breach.
Protect Your Organization from Third-Party Risk
Fair TPRM is a free, open-source platform for vendor risk management, GRC compliance, and FAIR risk quantification.
Free Demo Download SourceSources & References
- Notice of Recent Security Incident (December 2022) - LastPass Blog
- Security Incident Update and Recommended Actions - LastPass Blog
- Experts Fear Crooks Are Cracking Keys Stolen in LastPass Breach - Krebs on Security
- LastPass 2022 Breach - Wikipedia
- DOJ Cryptocurrency Seizure Related to LastPass Hack - U.S. Department of Justice