If You’ve Ever Used LastPass, You Should Change All Your Passwords Now

Personal details and password vaults containing the sign-in credentials of millions of users are now in the hands of criminals. If you’ve ever used the password manager, LastPass, you should change all of your passwords for everything, now. And you should immediately take further measures to protect yourself.

What Happened in the 2022 LastPass Data Breach?

LastPass is a password management service which operates on a "freemium" model. Users can store all of their passwords and logins for online services with LastPass, and access them through the web interface, through browser add-ons, and through dedicated smartphone apps.

Passwords are stored in "vaults", which are protected by a single master password.

In August 2022, LastPass announced that criminals had used a compromised developer account to access the LastPass development environment, source code, and technical information.

Further details were released in November 2022, when LastPass added that some customer data had been disclosed.

The true severity of the breach was revealed on December 22, when a LastPass blog post noted that criminals had used some of the information obtained in the earlier attack to steal backup data including customer names, addresses and phone numbers, email addresses, IP addresses, and partial credit card numbers. Additionally, they managed to steal user password vaults containing unencrypted website URLs and site names, as well as encrypted usernames and passwords.

Is It Difficult for Criminals to Crack Your LastPass Master Password?

Theoretically, yes, hackers should find it difficult to crack your master password. The LastPass blog post notes that if you use their default recommended settings, "it would take millions of years to guess your master password using generally-available password-cracking technology."

LastPass requires the master password to be a minimum of 12 characters, and recommends "that you never reuse your master password on other websites."

However, LastPass is unique among password management services in that it allows users to set a password hint to remind them of their master password should they lose it.

Effectively, this encourages users to use dictionary words and phrases as part of their password, rather than a truly random strong password. No password hint is going to help if your password is "lVoT=.N]4CmU".

The LastPass password vaults have been in the hands of criminals for some time now, and even though they’re encrypted, they will eventually be subject to brute force attacks.

Attackers will find their work easier thanks to the existence of massive databases of commonly used passwords. You can download a 17GB password list comprising the 613 million most common passwords from haveibeenpwned, for instance. Other password and credential lists are available on the dark web.

To try each of the half billion most common keys against an individual vault would take minutes, and although relatively few would be the required 12 characters, it’s likely that cybercriminals will be able to easily break into a good proportion of vaults.

Add to that the fact that computing power increases year-on-year, and that motivated criminals can use distributed networks to help with the effort; "millions of years" doesn’t seem feasible for the majority of accounts.

Does the LastPass Breach Just Affect Passwords?

While the headline news is that criminals can take their time to break into your LastPass vault, they can take advantage of you in other ways by using your name, address, phone number, email address, IP address, and partial credit card number.

These can be used for a number of nefarious purposes including spearphishing attacks against you and your contacts, identity theft, taking out credit and loans in your name, and SIM swap attacks.

How Can You Protect Yourself After the LastPass Data Breaches?

You should assume that within a few years, your master password will be compromised and all the passwords contained within will be known to criminals. You should change them now, and use unique passwords you have never used before, and which aren’t in any of the commonly used password lists.

With regard to the other data criminals obtained from LastPass, you should freeze your credit, and engage a credit monitoring service to monitor any new card or loan applications in your name. If you’re able to change your phone number without too much inconvenience, you should do that too.

Take Responsibility for Your Own Security

It’s easy to blame LastPass for the data breaches which saw your password vaults and personal details fall into the hands of criminals, but password management services that secure your life and help you generate unique combos are still the best way to secure your online life.

One way to make it more difficult for would-be thieves to get hold of your vital data is to host a password manager on your own hardware. It’s cheap, easy to do, and some solutions, such as VaultWarden, can even be deployed on a Raspberry Pi Zero.