LastPass compromise: Here’s what you need to know and what you can do

On Monday, LastPass informed customers about an attack that took place on Friday, which compromised password data.

However, before you panic, there are some things you should know, including the fact that a compromise like this was bound to happen sooner or later – but be glad that LastPass informed you, as such knowledge can keep you protected in this case.

LastPass is a password manager, one of several available online. Password managers are a good idea, and a great way to securely create and store passwords. However, online password managers like LastPass come with some risk, the biggest being that all of your passwords are stored in one location. But depending on the password manager and how you use it, this risk is acceptable.

So what happened?

Last Friday someone attacked LastPass and compromised their network. The attack was detected, but investigations into the incident have shown that LastPass account email addresses, password reminders, server per user salts, and authentication hashes were compromised.

As a result, if you’re a LastPass user, you should be getting an email from the company explaining what happened. Said email is essentially a press release telling you the compromised password data will be hard for the attackers to use in any meaningful way.

But the key phrasing in that message (also repeated in their disclosure notice) is this:

“We are confident that our encryption measures are sufficient to protect the vast majority of users… This additional strengthening makes it difficult to attack the stolen hashes with any significant speed.”

If you don’t understand, what they’re saying is that the passwords were salted, but given enough time and processing power, it is possible the attackers could obtain your passwords. In reality, you’re more likely to hit the lotto several times first before the attackers are successful, but the possibility is still there. Given that, why risk it? Change your master password and play it safe.

So what do I do?

The first thing you should do is change the master password on your LastPass account, especially if this master password is used anywhere else on the Internet.

If you’ve been using LastPass correctly, none of your passwords should be the same, so you won’t have to change anything else. But if they overlap in anyway, those will need to be changed too.

Let LastPass generate passwords for you. Something else you can do going forward though, is to change your passwords once a quarter.

Finally, enable and use multifactor authentication with your LastPass account.

This cannot be understated, multifactor authentication means that anyone with your account password has to try even harder to compromise your account – and in most cases it stops account compromises completely.

While this incident isn’t too bad, it’s still a data breach, so don’t dismiss it outright.

LastPass did the right thing by disclosing the incident to their customers. However, online password managers are considered a risk because there is a single point of failure for the end-user (that’s you).

If the account is compromised, all of the accounts associated with it (Facebook, Gmail, etc.) are exposed as well. This is a risk you either accept (by using LastPass) or reject by using another offline password manager.

Given the protections LastPass used for password hashes, if you change your master password now and enable multifactor authentication, you’re going to be in good shape – even if the attackers manage to obtain your passwords.

Something else to watch for will be Phishing.

It is possible that criminals will use this incident in order to get you to reveal your LastPass credentials. They’ll do this by sending an email pretending to be LastPass and encourage you to fill out a form online with account information.

Everything you need to do for your LastPass account can be done online directly, via the company’s website. Don’t click any emailed links alleging to come from LastPass, visit the website directly at https://lastpass.com