On December 22, 2022, LastPass announced that they had a data breach a few months earlier. LastPass is a password management software that 25.6 million people use to store their passwords. The password vaults of many people were stolen. This Wired article goes into more details.
What Does This Mean?
If you use LastPass to store your passwords it is possible that your password vault was stolen. The vault is encrypted and individual passwords in the vault are also encrypted. If someone is able to crack your vault password they could see the contents of your vault, minus the actual passwords. This means they could also access your current LastPass vault unless you have additional protections (two-factor authentication) in place.
Though your individual passwords are further encrypted, the websites and usernames are not encrypted in the vault. This means someone would know you have a login to a given website and what your username is. That is enough information to target high-value sites like banking, paypal and so on.
What Should I Do?
If you are a LastPass customer, you should
- Change your LastPass vault password.
- Turn on two-factor authentication for your LastPass account.
- Change passwords on your high value (i.e. financial) logins that were stored in LastPass. Ideally change all passwords that were stored in LastPass.
- Consider if you want to switch to another password manager. There are many other products and exporting and importing passwords. This Wired article reviews several products.
What Does IT Think?
We think using a password manager is a great way to use complex passwords and make them easy to use. Most password managers have a web browser plugin so they work with a few clicks and no typing. This is a good reminder that any company is vulnerable to a breach, even a company that offers a security product. Because of this breach we no longer recommend LastPass as an option. We do recommend using a password manager. Again, the above wired article reviews some options and you can make a choice that fits your needs and budget.