LastPass post-breach followup

June 12, 2024

In late 2022-mid 2023 it was revealed that Last Pass had experienced a breach of its servers. Information trickled out slowly and over time as to what happened and it was eventually revealed that:

"The unauthorized party was able to gain access to unencrypted customer account information like LastPass usernames, company names, billing addresses, email addresses, phone numbers and IP addresses, according to Toubba [CEO of LastPass]. That same unauthorized party was also able to steal customer vault data, which includes unencrypted data like website URLs as well as encrypted data like the usernames and passwords for all the sites that LastPass users have stored in their vaults. "

How quickly the password data stored in these vaults can be exposed depends entirely on how strong the Master Password for the vault was at the time. By current cybersecurity standards, strong is generally considered a password 12 characters or longer with at least one capital letter, one number, and one symbol. What you want is a password that will take millions of years by current technology to brute force attack.

More information about the LastPass breach and data exposure can be found here:

https://www.cnet.com/tech/services-and-software/still-using-lastpass-you-need-to-do-these-5-things/
https://blog.lastpass.com/posts/2022/12/notice-of-recent-security-incident
https://blog.lastpass.com/posts/2023/03/security-incident-update-recommended-actions
https://support.lastpass.com/s/document-item?language=en_US&bundleId=lastpass&topicId=LastPass/security-bulletin-recommended-actions-free-premium-families.html&_LANG=enus

What to Do
---------------
So users of Last Pass at the time should have received a notification from the company no later than March of 2023 what to do. Users who missed that notification should consult the LastPass Security Bulletin for Recommended Actions as the main roadmap for what to do going forward. Please note I am not a LastPass user so I am not familiar with all the settings or terminology mentioned therein.

I will repost the LastPAss Security Bulletin Recommended Actions road map link here:

https://support.lastpass.com/s/document-item?language=en_US&bundleId=lastpass&topicId=LastPass/security-bulletin-recommended-actions-free-premium-families.html&_LANG=enus

Though new users of LastPass post-compromise are safe, old LastPass users who do not remember receiving the security notification email from LastPass should immediately reset their Master Password if they haven’t already to prevent any future possible breaches of their password data. Any master password should be reset if doesn’t meet the currently defined cybersecurity minimum standard of secure.

LastPass recommends the following guidance which is inline with industry best practices:

    • Use a minimum of 12 characters, but longer is better
    • Use at least one of each upper case, lower case, numeric, symbols and special characters
    • Make sure it's unique (don't use it anywhere else)
    • Don't use personal information
    • To maximize your security use a randomly generated master password

Tip: To generate a random password, use the LastPass Password Generator.
Note: To LastPass Families customers: Make sure all members of your Families account follow these best practices. The safety of your shared items is determined by the person with the weakest master password.

Conceptually what LastPass users in 2022 and early 2023 should assume is that all of their passwords in their password vault for all of their websites they access have been compromised. If LastPass can change each and every password for each site, it should do so. If the individual stored passwords for each of your sites has already been changed post breach in 2022 then you are set. Changing the passwords for each of your sites will ensure the password data in the compromised vaults will be out of date and none of the exposed password vault data can be used to compromise any of your online accounts.