LastPass Hack: Are Your Passwords Safe?

LastPass Hack - What You Need To Do

In late-Summer 2022, security researchers rumbled about news of a breach at GoTo’s LastPass. At first, very little was shared, leaving us to wonder the severity of the faux pas. Just ahead of the new year, the company comprehensively updated the public on what occurred. Many were not pleased. Even more recently, in early-March 2023, the company shared another update to (so it seems) close the loop on this security blunder.

If I use LastPass, is my data safe?

Ultimately, LastPass insists that if your master password was at least 12 characters, then the ability of a hacker to brute force guess your password is diminished. According to Hive Systems, a 12-character password with a combination of upper and lowercase characters would take 300 years to crack, and if you add in numbers and symbols, it would take thousands.

On the flip side, CNet pointed out that hackers got access to “LastPass username, email address, phone number, name, […] billing address, IP addresses used when accessing LastPass [… and] users’ stored website URLs,” which is frustrating from a privacy perspective, but also opens victims up to phishing attacks.

Do I need to do anything?

LastPass has published two security bulletins – and since this blog focuses on small business and household tech, we’re going to explore the advice for the LastPass Free, Premium and Families plans. If you’re confident that malicious actors won’t crack your master password (and as long as it’s a 12-character combo featuring more than just numbers, lowercase, or uppercase numbers) then your risk is likely lower. My take: as a (former) LastPass user and a somewhat paranoid technology consumer I changed as many passwords in my vault as I could. However, if that is too much work, you could change your social media, financial, and email passwords, and likely feel a bit more at ease.

If you plan to continue using LastPass, you should consider enabling their free dark web monitoring, which at the time of publishing, LastPass says will be rolled out soon to all account types, not just Premium and Families. Additionally, they recommend enabling multi-factor authentication for your vault, for which they have a guide available.

Are there safer alternatives?

The short answer: yes. I recently switched to Bitwarden and haven’t looked back. The free version, at the time of publishing, allows you to sync passwords across multiple devices (e.g., your phone and your laptop), while many other password managers charge for this feature. (This used to be included in LastPass’s free version, which they later changed.)

Looking for further assistance to secure your passwords? Please don’t hesitate to contact me to set up a remote session.