When password managers get hacked

What do you do if your password manager has been hacked? If you’re a LastPass user, it might be time to consider your options. Jordan Heersping from CERT NZ offers some expert advice.

19 January 2023

It’s now public knowledge that LastPass, the password management service, has been compromised with attackers gaining access to customers’ information and vaults. These vaults contain encrypted password and account information.

LastPass revealed in a blog post that someone gained access to a developer’s account back in August 2022 and the stolen information was later used to target another employee, obtaining their credentials. This ultimately led to the attacker obtaining customer account information and encrypted (protected) vaults.

LastPass 2022 blog  External Link

What does that mean exactly?

The stolen data includes the following unencrypted details:

  • Company names.
  • Consumer names.
  • LastPass usernames.
  • Billing addresses.
  • Telephone numbers.
  • Email addresses.
  • IP addresses which customers used to access LastPass.
  • Website URLs from your password vault.
  • If the password for an account entry is “weak” or “vulnerable.”
  • Time of when an account entry was last used.

If you are a LastPass user, this means a cyber criminal has personal details such as your email address, they are able to see which websites you use, which accounts you have, and if those accounts use weak or vulnerable passwords.

Other data stolen was in encrypted form including the following:

  • Website usernames and passwords.
  • Secure notes.
  • Form-filled data.

To decrypt the information in these vaults, attackers will need your master password. To get this, attackers will need to guess (“brute-force” or “credential stuff”) or phish (try and get you to disclose) for it. So it’s only a matter of time especially if you had a weak or old master password.

What to do

We recommend you consider your options if you are a LastPass user. You should operate under the assumption that your user and vault data has been taken and could be opened in the future.

Those that are at a higher risk, or a likely target might be:

  • government workers
  • journalists
  • activists
  • celebrities or people of interest
  • businesses
  • cryptocurrency investors, and
  • those with weak passwords.

We recommend immediately updating your master password to something long, strong, and unique to prevent future attacks against your account. You should never re-use your master password. If you’re stuck, we have a page with advice on how to create a good password.

How to create a good password 

It is important to note that attackers already have a copy of your vault from that point in time, which is encrypted with your old password. So, while changing your master password will help prevent access to your current live vault, it will not prevent an attacker opening their copy of your vault with your old password.

Because attackers may gain access to their copy of your vault, you need to change all your important passwords – online banking, email, government logins, social media, medical logins – and change any weak or reused passwords. LastPass paid users can identify what passwords are weak or reused by checking their Security Dashboard.

To be extra safe, and with time, you should aim to change all of your passwords. Yes, this is a big job! You could break it up by picking a category to work to, or change them when you next log in.

Remember always to enable 2FA where possible – this is still one of the best protections to have in place. We have a guide to 2FA on our website.

Use two-factor authentication to protect your accounts 

In order to protect yourself against social engineering or phishing attacks, it is important to know that LastPass, or any other password manager, will never call, email, or text you and ask you to click on a link to verify your password. Other than when signing into your vault directly, you should never be asked for your master password.

To avoid being tricked by a fake login page, do not follow links to log into your password manager. Always navigate directly to your password manager’s application or website.

Next, think about your password manager. Using a password manager remains our top recommendation for managing your passwords and we believe you are much better off using one than not. If you no longer feel confident using your existing one, there are many great password managers available, both free and paid. You should weigh up your options and decide which one might work best for you.

Choosing a password manager

One feature you might want to look for when choosing is to check if there is an import/export option, which most should have. This will help move your passwords from one to another fairly easily.

If you have any questions or concerns about your LastPass account, please reach out to info@cert.govt.nz.