LastPass users: Here’s what you need to do after the breach

Ali Qamar  - Cybersecurity Analyst
Last updated: October 10, 2023
Read time: 6 minutes
Share

LastPass's breach needs to be taken very seriously. You need to go beyond changing your passwords.

The LastPass password manager cloud storage service suffered a major data breach in which the attackers got away with a full backup copy of the password vault. If you are a LastPass user, you must act immediately to prevent this breach from harming you.

Are you a LastPass user? If you are, you should already know about the breach it suffered because the company sent an email to its users attempting to update the situation concerning the data breach.

The email is misleading. While the wording seems transparent on the surface, it fails to give the users all the information they need. Above everything else, the question that every LastPass user needs to be answered is: should I change all my passwords? But make no mistake. The wording and the lack of additional information are deliberate.

There is a statement in the LastPass blog that is particularly troubling. It states that guessing a user’s master password would take millions of years with the currently available tools. This is questionable. Even worse, it’s the first step in shifting the blame to the user. After all, if somebody cracks your passwords, you are to blame because you obviously ignored the recommendations to set good passwords.

Let’s clarify: it’s exceedingly difficult and expensive to decrypt the passwords, but it’s not impossible at all, as LastPass wants to imply. If you are a LastPass user, you should be concerned about the latest data breach and do something about it as soon as possible.

So who should be worried? Should you? While it remains unclear who was behind the data breach, the evidence suggests it was a state-level actor. So take a moment to consider if your online activities could be of interest to that type of organization. If you are an average, low-profile user, it’s unlikely that somebody will use more resources to get your passwords. However, let’s remember that prevention is the best security policy, so even if you have no reason to believe that the government is after you, you should adopt a few measures to prevent any problems.