LastPass users: Here’s what you need to do after the breach

Ali Qamar Last updated: December 31, 2022 Read time: 6 minutes Disclosure

LastPass's breach needs to be taken very seriously. You need to go beyond changing your passwords.

The LastPass password manager cloud storage service suffered a major data breach in which the attackers got away with a full backup copy of the password vault. If you are a LastPass user, you must act immediately to prevent this breach from harming you.

Are you a LastPass user? If you are, you should already know about the breach it suffered because the company sent an email to its users attempting to update the situation concerning the data breach.

The email is misleading. While the wording seems transparent on the surface, it fails to give the users all the information they need. Above everything else, the question that every LastPass user needs to be answered is: should I change all my passwords? But make no mistake. The wording and the lack of additional information are deliberate.

There is a statement in the LastPass blog which is particularly troubling. It states that guessing a user’s master password would take millions of years with the currently available tools. This is questionable. Even worse, it’s the first step in shifting the blame to the user. After all, if somebody cracks your passwords, you are to blame because you obviously ignored the recommendations to set good passwords.

Let’s get something clear: it’s exceedingly difficult and expensive to decrypt the passwords, but it’s not impossible at all, as LastPass wants to imply. If you are a LastPass user, you should be concerned about the latest data breach and do something about it as soon as possible.

So who should be worried? Should you? While it remains unclear who was behind the data breach, the evidence suggests it was a state-level actor. So take a moment to consider if your online activities could be of interest to that type of organization. If you are an average, low-profile user, it’s unlikely that somebody will use more resources to get your passwords. However, let’s remember that prevention is the best security policy, so even if you have no reason to believe that the government is after you, you should adopt a few measures to prevent any problems.

So what happened, anyway?

According to the LastPass announcement, an attacker accessed third-party cloud-based storage. The storage in question is in use by LastPass to store archived backups of their data.

The compromised data includes company names, billing and email addresses, phone numbers, end-user names, and customer IP addresses.

Last but not least, the attack stole a backup of customer vault data. That’s where your passwords are stored.

Fortunately, those passwords are encrypted, so the attackers can’t get or use them immediately. Instead, they must invest time, effort, and resources to decrypt them first.

As of the time when this happened, we don’t know.

11 things to protect yourself from the LastPass security breach

What LastPass users need to do after the breach

1. Changing your master password is not enough

Remember that the breach included the theft of archived backups. This means that, even if you change your master password, the thieves already have a copy of your data they can unlock using your current/previous password. Ensuring your safety will need additional work. Keep reading.

2. Stop using LastPass

You are obviously going to have to change all the passwords you had stored in LastPass. However, we don’t know if the attackers have ongoing access to the live production databases. If they do, then changing your passwords only to store them again in LastPass won’t protect you because the hackers can still access them. So you will have to keep your new passwords somewhere else. In other words: you should refrain from using LastPass.

3. Move your digital assets to new digital wallets

Did you store your digital wallet’s seed phrase on LastPass? If you did, stop everything you’re doing because you need to take this step urgently.

Your wallet is now vulnerable if its seed phrase was in LastPass. You need to generate a new wallet as soon as possible. Create new seed phrases and keep them stored strictly offline. Then, move all your crypto assets to the new crypto wallet.