LastPass was hacked twice in 2022. In August 2022 hackers were able to gain access to their development environment using a developers account. This allowed them to see source code, but didn’t give them access to customer data. They didn’t give details any details about how the hackers gained access to the developers account, I presume they were victim of a phishing or spear phishing attack.
Only six months later and they’re hacked again and this time it’s not good news. The hacker was also able to copy a backup of customer vault data from the encrypted storage container which is stored in a proprietary binary format that contains both unencrypted data, such as website URLs, as well as fully-encrypted sensitive fields such as website usernames and passwords, secure notes, and form-filled data.
What does this mean?
Well it means that they can try and crack the master password of the user and if they’re successful they would have an offline copy of all your password vault from the backup file. So you better of had a strong master password! LastPass said
If you use the default settings above, it would take millions of years to guess your master password using generally-available password-cracking technology.“
A lot of cyber security experts have said that this is a bit misleading and millions of years is a bit of an exaggeration to try and reassure their customers.
What should you do next?
The first recommendation would be to change all your important passwords, banking, social media anything you wouldn’t want to loose access to. Just changing your master password isn’t good enough! If you want to be totally secure reset all your passwords and enable 2FA/MFA wherever possible as this is the best way to secure your account. You will then need to think whether you want to stay with LastPass or jump ship to another password manager, but just remember if you migrate to another password manager you will still need to reset all your passwords otherwise you still risk having your accounts compromised.