Are you a LastPass user? If you are, you should already know about the breach it suffered because the company sent an email to its users attempting to update the situation concerning the data breach.
The email is misleading. While the wording seems transparent on the surface, it fails to give the users all the information they need. Above everything else, the question that every LastPass user needs to be answered is: should I change all my passwords? But make no mistake. The wording and the lack of additional information are deliberate.
There is a statement in the LastPass blog that is particularly troubling. It states that guessing a user’s master password would take millions of years with the currently available tools. This is questionable. Even worse, it’s the first step in shifting the blame to the user. After all, if somebody cracks your passwords, you are to blame because you obviously ignored the recommendations to set good passwords.
Let’s clarify: it’s exceedingly difficult and expensive to decrypt the passwords, but it’s not impossible at all, as LastPass wants to imply. If you are a LastPass user, you should be concerned about the latest data breach and do something about it as soon as possible.
So who should be worried? Should you? While it remains unclear who was behind the data breach, the evidence suggests it was a state-level actor. So take a moment to consider if your online activities could be of interest to that type of organization. If you are an average, low-profile user, it’s unlikely that somebody will use more resources to get your passwords. However, let’s remember that prevention is the best security policy, so even if you have no reason to believe that the government is after you, you should adopt a few measures to prevent any problems.
So what happened, anyway?
According to the LastPass announcement, an attacker accessed third-party cloud-based storage. The storage in question is in use by LastPass to store archived backups of their data.
The compromised data includes company names, billing and email addresses, phone numbers, end-user names, and customer IP addresses.
Last but not least, the attack stole a backup of customer vault data. That’s where your passwords are stored.
Fortunately, those passwords are encrypted, so the attackers can’t get or use them immediately. Instead, they must invest time, effort, and resources to decrypt them first.
As of the time when this happened, we don’t know.
11 things to protect yourself from the LastPass security breach
1. Changing your master password is not enough
Remember that the breach included the theft of archived backups. This means that, even if you change your master password, the thieves already have a copy of your data they can unlock using your current/previous password. Ensuring your safety will need additional work. Keep reading.
2. Stop using LastPass
You are obviously going to have to change all the passwords you had stored in LastPass. However, we don’t know if the attackers have ongoing access to the live production databases. If they do, then changing your passwords only to store them again in LastPass won’t protect you because the hackers can still access them. So you will have to keep your new passwords somewhere else. In other words, you should refrain from using LastPass.
3. Move your digital assets to new digital wallets
Did you store your digital wallet’s seed phrase on LastPass? If you did, stop everything you do because you need to take this step urgently.
Your wallet is now vulnerable if its seed phrase was in LastPass. You need to generate a new wallet as soon as possible. Create new seed phrases and keep them stored strictly offline. Then, move all your crypto assets to the new crypto wallet.
4. Save your time looking for a perfect custody solution
You must move quickly to remain unharmed after the latest LastPass security breach.
If your seed phrases are compromised, you must move your digital assets. It doesn’t matter if you don’t have a good long-term solution to keep your assets safe. The first thing to do is to keep them away from the LastPass attackers. Once you’ve done that, you’ll have plenty of time to figure out what to do later.
5. Change all your passwords on crypto platforms and other financial services
Choose unique passwords for each crypto account for better digital assets security or any other one dealing with financial services.
Turn 2FA wherever available. This will minimize the vulnerability created by a stolen password. If your 2FA code was also in your LastPass, remove it and set it up again.
6. Change the passwords for all your email accounts
The forgotten password features in most websites can turn your email accounts into backdoors for almost every account you have. So, you must ensure that all your email accounts remain secured with new and unique passwords.
Each password must be unique and use a 2FA not stored in LastPass.
7. Change your Google and Apple iCloud passwords too
These accounts have access to a lot of your information and activities. They can even surrender data about your mobile devices because of the backups stored in the cloud. Change these passwords right now.
8. Set up a new password manager
If you’ve followed our advice so far, then all the emergency steps are covered. Next, it’s time to set up a new password manager.
Consider NordPass, Keepass, Bitwarden, or 1Password to choose a new password manager.
Choose an excellent password manager, and move all your passwords to your new service. Our number one recommendation here is NordPass.
Also, remember this: seed phrases do not belong in password managers because they’re too important. Instead, you must keep them stored offline.
9. Take care of all your other accounts too
Now that you have a new password manager ready, you need to change the password in every other account you have on the internet. Yes, all of them.
We know it’s cumbersome. It’s also necessary.
10. Make a long-term plan for your crypto capital
Again, once all the emergency measures are in place, you can move forward and come up with a brand new long-term plan for the custody of your crypto assets.
Do your homework, learn about your options (hot and cold storage), the best available wallets, and everything else you could need to know.
11. Act now
We can’t overemphasize this: if you are a LastPass user, you are in danger and can’t wait to deal with this situation. Act right now.
Conclusion
Many questions remain about the latest LastPass major data breach. However, the pending answers are not relevant in preventing this breach from harming you.
If you are a LastPass user, you must go into emergency mode immediately and follow the emergency and long-term security measures described in this guide.
Don’t procrastinate. Waiting even a little could mean your reaction will happen too late to make a difference.
Remember: nothing is more important than being safe online, and if your password manager is LastPass, you’re currently not. Be aware. Please do something about it.
