If You Use LastPass, You Need to Change All of Your Passwords ASAP
Are you a LastPass user? This popular password manager was the target of a major data breach last December, which means many people’s passwords and personal data were exposed to nefarious entities.
According to LastPass CEO, Karim Toubba, there was a security incident in August that led to unauthorized parties stealing customer data in December. However, this is not a unique event for LastPass since it’s been having security incidents since 2011.
What kind of data was exposed? According to Toubba, hackers got their hands on unencrypted data such as LastPass usernames, company names, billing addresses, email addresses, phone numbers and IP addresses.
There was also vault data stolen, containing both unencrypted and encrypted information such as usernames and passwords for all visited sites.
Let’s pause for a second here. This is a password manager. They’re holding the keys to your kingdom, so to speak. Anyone sensible would think that they’d do well what they’re supposed to do, that is, storing your passwords securely.
Even more alarming is the fact that this has been happening since at least 2011, and nobody knows how many other undisclosed events might have happened so far.
What to do about it
If you’re a LastPass user, the first thing that comes to mind is switching to another service. However, the most pressing issue is to immediately change your passwords on any site you have visited. You have to assume there’s somebody out there with all your data, and possibly a lot of ideas on how to use it.
Even though the most sensitive data is encrypted, nothing prevents crackers from using brute force attacks on your information, even though it can take a long time for a good password to be cracked. According to LastPass, it could be millions of years, unless you have used “qwerty1234” or something similar.
Since the company has a history of security breaches, you might also consider visiting sites you no longer use but still have access to, just in case. You may think this is a colossal task, and it is. But it’s much better to be safe than sorry.
The best course of action is to start with the most important sites first. This means your passwords for online banking, e-commerce platforms, job-related sites, health services and anywhere where you may have critical private information stored.
Then you can go on to changing passwords for less critical sites such as newspaper subscriptions, online forums, etc. Don’t forget your phone apps, too, since many are permanently logged in. Finally, use 2-factor authentication. I know it’s a drag, but it’s the best way to prevent someone from accessing your account.
A “fun” fact about this security breach and LastPass is that, even though you may think your encrypted info is safe, it indirectly isn’t. This is because LastPass doesn’t encrypt your visited URLs, so hackers can see where you logged in, and whether you have login information saved. This paves the way for many social engineering tactics.
We live in a brave new world, folks. But with these recommendations, you’ll be in top shape to prevent major issues even if someone manages to get their dirty hands on your data.
This is exactly why I never use password manager.
Some people may not be comfortable with using a cloud-based password manager, however, there are offline password managers such as KeePass. Your data is stored locally on your PC
No matter what you use, risk is involved. A natural or deliberate event (fire, flood, earthquake…) may take out your computer and backups.
You need offsite backup for KeePass. What’s handy for that? A cloud account.
This person knows. You just write your passwords in a notebook and leave it in your desk drawer. So convenient and much safer than an offline password manager like KeePass.
Thanks Shaun. I sent my cousin an email at 7:45 am
He just wouldn’t listen to me then. Maybe now.
Lastpass, yes, last pass, nobody will give them any other pass. Thanks for the article.
I linger to understand how, why LastPass is (so) popular. It regularly encounters serious issues, It’s Firefox extension weighs ~42MB, it’s bloated and complicated to use, whilst another Password Manager, ‘Bitwarden’ is far less problematic, small in size (FF extension ~8MB), intuitive and efficient. Both FF extensions have approximately the same number of users at this time (691K vs. 608K) : LastPass isn’t that popular in fact.
Of course I don’t use LastPass (I had tried it many years ago). Bitwarden is my choice, never encountered the slightest problem.
Anyway, for the poor souls who do rely on LastPass may they read this article, change *all* their passwords and maybe wonder if they’ve made the right move when choosing LastPass.
A popular password manager is 1Password. It has additional security that LastPass doesn’t have
I have been a LastPass customer for many years now and am disappointed in them. They should have encrypted URLs.I would recommend changing to a different password manager. I’ve chosen 1Password. I am in the process of going through over 200 accounts and changing passwords. Before this hack, LastPass was a well recommended password manager but not anymore.
This article is about 2 months late but better late than never I guess.
I normally like Ghacks’ journalism, but this article contains several inaccuracies and misleading statements, and provides incorrect advice. It adds nothing to what has already been written on the subject. IMO the best thing to do would be to delete it.
> “I normally like Ghacks’ journalism, but this article contains several inaccuracies and misleading statements, and provides incorrect advice.”
You should write those mistakes to be considered our chief master commander.
It is my understanding that the “blobs” of encrypted data representing LastPass vaults were compromised, but without knowing the passwords these are useless — except when a user is in the habit of sharing passwords across apps and a hacker can then use one of these known passwords to break into the vault.
Since this article did not provide a link to the LastPass update on the breach, here it is:
https://blog.lastpass.com/2022/12/notice-of-recent-security-incident/
LOL who cares. It’s breach after breach no matter what service you use. This world is F(*&*ed.
KeePass is all you need. No cloud or bloated clients.
KeePass has some pretty bad security vulnerabilities. No website on planet Earth has gone un-hacked. They have all been compromised, and they have had it happen regularly. You cannot keep hackers out, it is impossible. All the managers listed in the comments have had breaches, too. They just haven’t admitted them or don’t know about them.
My master password is 27 characters long, my vault will never be cracked. They provide you a platform to access your vault from anywhere. The security of your vault is YOUR responsibility. Not a corporation, not another person. You and only you. If you chose a poor password, when they specifically tell you not to, that’s on you.
The most secure place for passwords is your brains memory. No brainer !