If you’re a Lastpass customer you may already be aware that they were breached late last year and their customers password vaults were stolen. If you aren’t familiar there are some great articles out there that explain what happened. Just Google “Latest Lasspass breach”. Sorry, there are too many good articles to list here.
A few people have reached out to me and wondered what they should be doing about this as a customer of Lastpass. I thought that was a great question and below I’ll outline the priority (based on my personal opinion) of what you should do to protect yourself from this breach.
Keep in mind that the list below is not comprehensive but will be a good starting point. Each person’s risk will be different from others, and it depends on the strength of your master password for Lastpass and what you kept in it. Ultimately, whatever you stored in your Lastpass you’ll need to update and change that information. It’s best to assume someone already has this information.
- Change your Lastpass master password now, assuming you haven’t moved on to a different solution yet. The longer the password the better. I recommend a minimum of 24 characters. You need to do this first otherwise anything else you do will be useless since a threat actor (bad person) can log in again and view all the changes you made.
- Increase you Password iterations to over 1,000,000. (As of today, industry recommendation is 600K). Password iteration is a method to further make you master password more complex and more difficult to crack. Keep in mind the bigger the number the longer it takes to unlock your vault. I have mine over a million and it takes a second longer to open my vault, so it’s not too bad. The setting is located in Account Settings > Advance Settings.
- Change your main email password(s). Like a lot of people, many of the services you signed up for are tied to your main email account(s), and often times reset passwords are sent to this email address. At this point, and for any other accounts you’ll update, you’ll need to generate new backup codes, create new security question/answers, enable 2 factor authentication (if you haven’t already), and refresh your authenticator code generator. The reason you’ll need to do this is I’ll assume that a threat actor may have logged in and copied the old information and may saved it to use to later.
- Only after your email accounts passwords have been updated and protected you’ll need to change the passwords for these services next:
– Financial institutions: Such as Banks, Brokerage, Loan and tax services, and sites/services that hold your money, credit, and debt. If credit and debit card info was stored in Lastpass you’ll need to request new cards as well.
– Health provider/services: These can include medical, dental, vision, etc. services. The information on these accounts can be used to verify your identity.
– Utility Services – Information from these online accounts (Electric, gas, water, etc) may be used to verify your identity. You may noticed that some places may request a utility bill as proof of residence or identity.
– Shopping and eCommerce: Any shopping sites or services that stores your payment information (Amazon, eBay, Etsy, Doordash, Uber, etc). - Eventually every password you stored in Lastpass before the breach will need to be updated, the sooner the better. Use that time to check whether those services/accounts are important or useful otherwise close/delete/deactivate those accounts. This will help reduce your online footprint. It’s difficult to verify that those services will be permanently delete or remove your data, so I recommend that you should manually delete any profile information (phone number, address, etc) or change it to gibberish if possible before you “delete” or deactivate those accounts.
I’m sure there are a lot more things you can do to further protect yourself from the Lastpass data breach, but I hope this will help those who are looking for some structure or prioritization recommendations in their efforts to protect themselves.
Stay safe.