On December 22, 2022, online password management service LastPass revealed that hackers had obtained extensive information from user accounts such as billing and email addresses, end-user names, telephone numbers, and IP address info.
Also leaked was customer vault data, which includes both unencrypted data such as website URLs and encrypted data like website usernames and passwords, secure notes, and form-filled data. A previously announced hack (opens in new tab) of customer data in August 2022 apparently opened the door to this more serious data breach.
What are the risks for LastPass users?
All 30 million LastPass (opens in new tab) users, with data stored on the company servers as of August 2022, are at risk. Hackers now have a copy of your entire password vault. Should they manage to crack your master password, they can take over your online life. That means full access to your emails, bank accounts, healthcare data, tax information, social media accounts – you name it.
Sign up for Kiplinger’s Free E-Newsletters
Profit and prosper with the best of Kiplinger’s expert advice on investing, taxes, retirement, personal finance and more – straight to your e-mail.
Profit and prosper with the best of Kiplinger’s expert advice – straight to your e-mail.
According to LastPass, hackers may attempt to use brute force to guess your master password and decrypt the copies of vault data they took. However, LastPass claims it would be extremely difficult – taking up to “millions of years” (opens in new tab) – to brute force guess master passwords for those customers who have followed their password best practices (opens in new tab). But how many customers have done that?
Experts question LastPass’ claims
Noted cybersecurity experts have queries about LastPass’ recent updates. Wladimir Palant (opens in new tab), security researcher and creator of AdBlock Plus, says that “The statement is full of omissions, half-truths and outright lies.” Senior security researcher John Scott Railton (opens in new tab) considers the hack a far more grave threat than reported – both to individual users as well as companies that employ LastPass for corporate password management.
Yahoo’s senior information security engineer Jeremi Gosney (opens in new tab) is also extremely critical of the response from LastPass, as well as its general approach to security. Gosney notes that “in the last 10 years. I don’t know what the threshold of “number of major breaches users should tolerate before they lose all faith in the service” is, but surely it’s less than 7.”
Hackers could crack your master password in as little as 30 minutes with modern tech.
1Password
Competing password service 1Password (opens in new tab) also casts doubt on the “millions of years” to crack its security claim, noting that it appears to rely on the assumption that the LastPass user’s 12-character password was generated through a completely random process, which is far from the norm. It’s possible that hackers could crack your master password in as little as 30 minutes if they have the most up-to-date tech.
How to protect your online life
If you’re a LastPass customer, consider all of your stored data at risk.
- Immediately update the passwords for your most important online accounts.
- Prioritize email accounts, banking, taxes, credit cards, insurance, healthcare, retirement accounts, secure document storage, etc. as recommended by TechCrunch (opens in new tab).
- LastPass users may also want to switch password managers. Competing services Bitwarden (opens in new tab), 1Password (opens in new tab), and Dashlane (opens in new tab) offer similar features accompanied by stronger track records of protecting user data.
- When using any password manager, choose a strong master password that’s never been used elsewhere. The ideal password utilizes a minimum of 12 (or even up to 16) random characters and has no relation to your personal data, according to the digital password service NordPass (opens in new tab).
- And whether you’re a LastPass user or not, you should create an account on the hacking alert website Have I Been Pwned? which will send you updates on any breaches affecting you as soon as possible.
