LastPass users: Here’s what you need to do after the breach

Ali Qamar  - Cybersecurity Analyst
Last updated: October 10, 2023
Read time: 6 minutes

LastPass's breach needs to be taken very seriously. You need to go beyond changing your passwords.


The LastPass password manager cloud storage service suffered a major data breach in which the attackers got away with a full backup copy of the password vault. If you are a LastPass user, you must act immediately to prevent this breach from harming you.

Are you a LastPass user? If you are, you should already know about the breach it suffered because the company sent an email to its users attempting to update the situation concerning the data breach.

The email is misleading. While the wording seems transparent on the surface, it fails to give the users all the information they need. Above everything else, the question that every LastPass user needs to be answered is: should I change all my passwords? But make no mistake. The wording and the lack of additional information are deliberate.

There is a statement in the LastPass blog that is particularly troubling. It states that guessing a user’s master password would take millions of years with the currently available tools. This is questionable. Even worse, it’s the first step in shifting the blame to the user. After all, if somebody cracks your passwords, you are to blame because you obviously ignored the recommendations to set good passwords.

Let’s clarify: it’s exceedingly difficult and expensive to decrypt the passwords, but it’s not impossible at all, as LastPass wants to imply. If you are a LastPass user, you should be concerned about the latest data breach and do something about it as soon as possible.

So who should be worried? Should you? While it remains unclear who was behind the data breach, the evidence suggests it was a state-level actor. So take a moment to consider if your online activities could be of interest to that type of organization. If you are an average, low-profile user, it’s unlikely that somebody will use more resources to get your passwords. However, let’s remember that prevention is the best security policy, so even if you have no reason to believe that the government is after you, you should adopt a few measures to prevent any problems.

So what happened, anyway?

According to the LastPass announcement, an attacker accessed third-party cloud-based storage. The storage in question is in use by LastPass to store archived backups of their data.

The compromised data includes company names, billing and email addresses, phone numbers, end-user names, and customer IP addresses.

Last but not least, the attack stole a backup of customer vault data. That’s where your passwords are stored.

Fortunately, those passwords are encrypted, so the attackers can’t get or use them immediately. Instead, they must invest time, effort, and resources to decrypt them first.

As of the time when this happened, we don’t know.

11 things to protect yourself from the LastPass security breach

LastPass security

1. Changing your master password is not enough

Remember that the breach included the theft of archived backups. This means that, even if you change your master password, the thieves already have a copy of your data they can unlock using your current/previous password. Ensuring your safety will need additional work. Keep reading.

2. Stop using LastPass

You are obviously going to have to change all the passwords you had stored in LastPass. However, we don’t know if the attackers have ongoing access to the live production databases. If they do, then changing your passwords only to store them again in LastPass won’t protect you because the hackers can still access them. So you will have to keep your new passwords somewhere else. In other words, you should refrain from using LastPass.

3. Move your digital assets to new digital wallets

Did you store your digital wallet’s seed phrase on LastPass? If you did, stop everything you do because you need to take this step urgently.

Your wallet is now vulnerable if its seed phrase was in LastPass. You need to generate a new wallet as soon as possible. Create new seed phrases and keep them stored strictly offline. Then, move all your crypto assets to the new crypto wallet.

4. Save your time looking for a perfect custody solution

You must move quickly to remain unharmed after the latest LastPass security breach.

If your seed phrases are compromised, you must move your digital assets. It doesn’t matter if you don’t have a good long-term solution to keep your assets safe. The first thing to do is to keep them away from the LastPass attackers. Once you’ve done that, you’ll have plenty of time to figure out what to do later.

5. Change all your passwords on crypto platforms and other financial services

Choose unique passwords for each crypto account for better digital assets security or any other one dealing with financial services.

Turn 2FA wherever available. This will minimize the vulnerability created by a stolen password. If your 2FA code was also in your LastPass, remove it and set it up again.

6. Change the passwords for all your email accounts

The forgotten password features in most websites can turn your email accounts into backdoors for almost every account you have. So, you must ensure that all your email accounts remain secured with new and unique passwords.

Each password must be unique and use a 2FA not stored in LastPass.

7. Change your Google and Apple iCloud passwords too

These accounts have access to a lot of your information and activities. They can even surrender data about your mobile devices because of the backups stored in the cloud. Change these passwords right now.

8. Set up a new password manager

If you’ve followed our advice so far, then all the emergency steps are covered. Next, it’s time to set up a new password manager.

Consider NordPass, Keepass, Bitwarden, or 1Password to choose a new password manager.

Choose an excellent password manager, and move all your passwords to your new service. Our number one recommendation here is NordPass.

Also, remember this: seed phrases do not belong in password managers because they’re too important. Instead, you must keep them stored offline.

9. Take care of all your other accounts too

Now that you have a new password manager ready, you need to change the password in every other account you have on the internet. Yes, all of them.

We know it’s cumbersome. It’s also necessary.

10. Make a long-term plan for your crypto capital

Again, once all the emergency measures are in place, you can move forward and come up with a brand new long-term plan for the custody of your crypto assets.

Do your homework, learn about your options (hot and cold storage), the best available wallets, and everything else you could need to know.

11. Act now

We can’t overemphasize this: if you are a LastPass user, you are in danger and can’t wait to deal with this situation. Act right now.


Many questions remain about the latest LastPass major data breach. However, the pending answers are not relevant in preventing this breach from harming you.

If you are a LastPass user, you must go into emergency mode immediately and follow the emergency and long-term security measures described in this guide.

Don’t procrastinate. Waiting even a little could mean your reaction will happen too late to make a difference.

Remember: nothing is more important than being safe online, and if your password manager is LastPass, you’re currently not. Be aware. Please do something about it.

Share this article

About the Author

Ali Qamar

Ali Qamar

Cybersecurity Analyst
47 Posts

A strong passion drives Ali Qamar. He wants to empower internet users with privacy knowledge. He founded PrivacySavvy, an authority dedicated to fostering a security-conscious online community. Ali believes in individual liberty. He has been a vocal advocate for digital privacy rights long before Edward Snowden's mass surveillance revelation shook the world. Ali recently co-authored a book called "The VPN Imperative." It is available on Amazon. The book is a testament to his relentless quest to raise awareness about the importance of online privacy and security. Ali has a computing degree from Pakistan's top IT institution. He understands the details of encryption, VPNs, and privacy well. Many see Ali as an authority in his field. The local press often seeks his insights. His work has appeared in many famous publications. These include SecurityAffairs, Ehacking, HackRead, Lifewire,, Intego, and Infosec Magazine. He is inclined to transformative ideas. This is clear in his work. It aims to reshape how people approach and prioritize their online privacy. Through PrivacySavvy and his writing, Ali Qamar champions digital freedom. He gives internet users the knowledge and tools they need. They use these to reclaim control over their data. They can then navigate the online world with confidence and security.

More from Ali Qamar


No comments.