People who know about these things are getting a bit worried about the LastPass data breach. If you use LastPass you need to evaluate what action to take.

Late last year a hacker broke into LastPass and stole their entire data vault, that included all your logons and passwords if you use LastPass (or even have an old account that you don't use anymore).

LastPass say that they, and consequently the hackers, don't have access to your logon data because its encrypted and protected by the master password that only you know. They have advised that it would take 'millions of years' to crack open the vaults and get access to your data.

However, as time has gone on, we have been hearing that there are caveats to this and it depends on the length of the master password and some of the default settings that you had setup in LastPass, some of those settings have changed their defaults over time so If you have an older account, you may have less protection. The end result of that is that some online security sites are saying in reference to the 'millions of years' claim that in actuality "it may be a lot less than that!"

Advice is extremely varied about what to do, here are some examples:

  • LastPass are saying 'millions of years' to crack open, assuming you have a 12 digit complex password, your PBKDF2 iterations is set to 100,100 or more and [OBVIOUSLY] you never reuse your master password on other websites
  • Almost all are saying change the LastPass master vault password
  • Some are saying change all your passwords for any accounts that are stored in LastPass and change the LastPass master vault password
  • Some are saying dump LastPass altogether and move to another password manager, plus changing all your passwords as above


Whatever action you decide on, do it soon as the clock is ticking if the hackers are trying to brute force crack the data. Some sites are reporting that LastPass have been very coy about the details including when the data was even stolen and as such how long the hackers may have been working on the data, and some say that general communication about the whole event has been poor which brings about a loss of confidence in the service.

The LastPass notice:
https://blog.lastpass.com/2022/12/notice-of-recent-security-incident/

Some other sites information:
https://www.wired.com/story/lastpass-breach-vaults-password-managers/

https://www.bostonglobe.com/2023/01/09/business/lastpass-security-breach-was-worse-than-youve-heard-heres-what-do/

https://blog.1password.com/not-in-a-million-years/

Finally, almost all security experts still recommend a password manager for managing your passwords. The general consensus is that having strong complex passwords for all your sites and services that you don't have to remember, all stored within a very secure service, protected by a single unique, strong password still provides the best protection compared to the alternatives.

This blog post has been provided for the benefit of digitalwelcomemat IT customers. Treat this information as informative only and do not take actions or make decisions on the basis of the information contained here. All IT decisions and actions should be made after consultation with your chosen IT professional taking into account all the of the relevant factors.