LastPass Breach: How Bad Is It?

Last year LastPass announced that attackers stole the password vaults of (probably) all of their customers.

How big of a problem is this?

The general consensus among security experts — including myself — is that it’s bad but not awful.

Why?

LastPass keeps all of your passwords encrypted in a way that not even LastPass can get into. It’s like if you stored something in a safe with a code and a key and then shipped it to LastPass to keep the safe secure.

Well, they lost the safe to a thief but the thief still needs to be able to get in and that won’t be easy.

If you are a politician, celebrity, CEO/COO/CFO of a large organization, or a high-profile target then you should be worried and contact a security expert to help you ASAP. For the rest of us, it is a good idea to change passwords for your most important sites.

There is one catch: It doesn’t sound like LastPass encrypted usernames and URLs. So, an attacker that has my password vault would be able to see my bank website and username, but not my password. It would look like this:

That is enough information for a hacker to pretend to be my bank and start sending me phishing emails.

While everyone should be on the lookout for phishing emails all the time, LastPass customers should be twice as careful.

Should I Switch?

If it’s just you and not your company, than 1Password and Bitwarden are both good options. Changing password managers for entire organizations is much more complex.

And remember: the horse already left the barn. You can switch to a different provider but the information that LastPass lost is already out there for hackers. You can’t undo that.

Personally, I am still at the wait and see approach. A knee-jerk reaction is never a good idea, and an unplanned transition could result in being locked out of important accounts.