5 Things LastPass Customers Need to Do After the Latest Breach


LastPass, one of the world’s most popular password managers, has suffered a massive breach, with customers’ personal data compromised and their online passwords compromised.

In late December, LastPass CEO Karim Toubba acknowledged that a security incident the company first disclosed in August had finally paved the way for an unauthorized party to steal customer account information and vault data. This is the latest in a long and troubling series of security incidents involving LastPass, dating back to 2011.

It is also the most alarming.

According to Toubba, an unauthorized party can now access unencrypted subscriber account information, such as LastPass usernames, company names, billing addresses, email addresses, phone numbers and IP addresses. That same unauthorized party also has a copy of customer vault data, which includes unencrypted data such as website URLs and encrypted data such as the usernames and passwords for any sites customers have stored in their vaults. If you are a LastPass subscriber, the severity of this breach should lead you to look for another password manager, as your passwords and personal information are at risk of being exposed.

What should LastPass subscribers do?

The company did not specify how many users were affected by the breach, and LastPass did not respond to CNET’s request for additional comment on the breach. But if you are a LastPass subscriber, you should assume that your user and vault data is in the hands of an unauthorized party with malicious intent. Although the most sensitive data is encrypted, the problem is that the threat actor can perform “brute force” attacks on those stolen local files. LastPass estimates that it would take “millions of years” to guess your master password – if you followed best practices.

If you haven’t – or if you just want total peace of mind – you’ll need to spend some time and effort changing your individual passwords. And while you’re doing that, you’ll probably also want to switch from LastPass.

With that in mind, here’s what you need to do now if you’re a LastPass subscriber:

1. Find a new password manager. Given LastPass’s history of security incidents and given the severity of this latest breach, now is a better time than ever to look for an alternative.

2. Change your most important site-level passwords immediately. This includes passwords for, for example, online banking, financial data, internal company logins and medical information. Make sure these are new passwords are strong and unique.

3. Change all your other online passwords. Again, it’s a good idea to change your passwords in order of importance. Start by changing the passwords of accounts such as email and social media profiles, and then you can go back to other accounts that may not be as important.

4. Enable two-factor authentication where possible. After changing your passwords, this is what you need to do enable 2FA on every online account it offers. This gives you an extra layer of protection by alerting you and prompting you to authorize each login attempt. That means that even if someone eventually gets their hands on your new password, they shouldn’t be able to access a particular site without your secondary authentication device (usually your phone).

5. Change your master password. While this doesn’t change the threat level for the stolen vaults, it’s still wise to help mitigate the threats of a possible future attack – that is, if you decide you want to stick with LastPass.

LastPass Alternatives to Consider

  • Bitwarden: CNETs best password manager is a highly secure and open-source LastPass alternative. Bitwarden’s free tier allows you to use the password manager on an unlimited number of devices of different device types. Read our Bitwarden Review.
  • 1Password: Another excellent password manager that works seamlessly across platforms. 1Password doesn’t offer a free tier, but you can try it for free for 14 days.
  • iCloud keychain: Apple’s built-in password manager for iOS, iPadOS, and MacOS devices is an excellent LastPass alternative available to Apple users at no additional cost. iCloud Keychain is safe and easy to set up and use on all your Apple devices. It even offers a Windows client with support for Chrome and Edge browsers.

How did it get this far?

In August 2022, LastPass published a blog post written by Toubba saying that the company “determined that an unauthorized party had gained access to parts of the LastPass development environment through a single compromised developer account and parts of the source code and certain technical information of LastPass had taken.”

At the time, Toubba said the threat was contained after LastPass “enlisted a leading cybersecurity and forensics company” and implemented “enhanced security measures.” But that blog entry would be updated several times over the following months as the scope of the breach gradually widened.

On Sept. 15, Toubba updated the blog post to inform customers that the company’s investigation into the incident had concluded.

“Our investigation revealed that the threat actor activity was limited to a four-day period in August 2022. During this period, the LastPass security team detected the threat actor activity and then contained the incident,” said Toubba. “There is no evidence of any threat actor activity outside of the established timeline. We can also confirm that there is no evidence that this incident involved any access to customer data or encrypted password vaults.”

At the time, Toubba assured customers that their passwords and personal information were safe with LastPass.

However, it turned out that the unauthorized person was eventually able to access the customer data. On November 30, Toubba updated the blog post again to warn customers that the company “determined that an unauthorized party, using information obtained in the August 2022 incident, had gained access to certain elements of our company’s information. customers.”

Then, on Dec. 22, Toubba released an extensive update to the blog post, outlining the unnerving details regarding exactly what customer data the hackers had access to in the breach. It was then that the full gravity of the situation finally came to light and the public learned that LastPass customers’ personal data was in the hands of a threat actor and all of their passwords were at serious risk of being exposed.

Still, Toubba assured customers who follow LastPass best practices for passwords and have the latest defaults enabled that no further action is recommended on their part at this time as their “sensitive vault data, such as usernames and passwords, secure notes, attachments and fields for form filling remain securely encrypted based on LastPass’ Zero Knowledge architecture.”

However, Toubba cautioned that those who don’t have LastPass defaults enabled and don’t follow password manager best practices are at greater risk of having their master password cracked. Toubba suggested that those users should consider changing the passwords of the websites they saved.

What does all this mean for LastPass subscribers?

The initial breach ultimately allowed the unauthorized party to access sensitive user account data and vault data, meaning LastPass subscribers should be deeply concerned about the integrity of the data they have stored in their vaults and question whether LastPass is able to is to keep their data safe.

If you are a LastPass subscriber, an unauthorized party may have access to personal information such as your LastPass username, email address, phone number, name, and billing address. IP addresses used to access LastPass were also exposed to the breach, meaning the unauthorized party could also see the locations from which you accessed your account. And because LastPass doesn’t encrypt users’ stored website URLs, the unauthorized party can see all the websites for which you’ve saved credentials using the password manager (even if the passwords themselves are encrypted).

This kind of information gives a potential attacker enough ammunition to launch a phishing attack and socially engineer their way into your account passwords. And if you have saved password reset links that may still be active, an attacker can easily create a new password for themselves.

LastPass says that encrypted vault data such as usernames and passwords, secure notes, and form-filled data that has been stolen will remain safe. However, if an attacker were to crack your master password at the time of the breach, they would have access to all that information, including all usernames and passwords of your online accounts. If your master password wasn’t strong enough at the time of the breach, your passwords are especially at risk of being exposed.

Unfortunately, changing your master password now won’t help solve the problem because the attackers already have a copy of your vault encrypted with the master password you had at the time of the breach. This means that the attackers have essentially unlimited time to crack that master password. Therefore, the safest way is to reset the password on a site-by-site basis for all of your LastPass accounts. Once modified at the site level, that would mean the attackers would get your old, outdated passwords if they managed to crack the stolen encrypted vaults.

For more information on staying safe online, be here data privacy tips digital security experts would like you to know and change browser settings to better guard your data.

Leave A Reply

Your email address will not be published.