LastPass Breach January update: more news about the horrible hacking of LastPass accounts.
LastPass Breach January Update
The cloud password management company LastPass was hacked last year but didn’t release any details until December 22nd. Read my LastPass Time Bomb Breach blog.
Since then I have clawed out one more detail. I was able to get LastPass support to confirm that every LastPass customer vault was stolen September 22nd last year. That’s right, every single vault is in the hands of hackers. Every password you put into your vault before September 22nd should be considered broken.
Changing your master password now will only protect passwords you changed after September 22nd.
What to do if you are a LastPass customer?
What steps should you be taking?
- Put Multi-factor authentication on all your key accounts now. Read my blog explaining what is multi-factor authentication.
- Then change all your passwords. Don’t reuse anything from your LastPass vault.
- Check if your insurance covers breaches like this
- Find a new password manager. Don’t get go back to using spreadsheets or pieces of paper. Try 1Password.
Just FYI last week LastPass changed something in the vault structure that is making it harder to get website login details out of the vault. I’m sure they’re spinning this as a security upgrade but I suspect it is really to slow down customers from moving all their information out.
I have been trying to get more information from LastPass about the breach and who their lawyer is. No luck yet. Hopefully I will have more next month.
At the same time LastPass was breached, LogMeIn was hacked as well. Both LastPass and LogMeIn are owned by GoTo. LogMeIn actually sent detailed emails to their customers about this breach blaming a third party cloud storage facility (like LastPass did). LogMeIn automatically reset their customers passwords.
Last week GoTo admitted that all of their services were hacked at the same time. GoTo has over 800,000 enterprise and private users but they’re not saying how many were affected by the LastPass breach.