What happened?
- company name
- end-user name
- billing address
- email address (you probably want to assume that this is both the main email id and, if set up, the security email id)
- telephone number
- the number of iterations for PBKDF2
- the IP addresses from which the user has accessed the LastPass service (you probably want to assume that this is not only the last access but also history, for an unknown period of time)
- the full URL stored in every entry in the vault
- LastPass Authenticator seeds and phone numbers database, but only if you enabled the Cloud Backup option for LastPass Authenticator
What are the risks?
- the LastPass breach itself,
- weaknesses in your use of LastPass,
- weaknesses in your use of cloud accounts and the Internet in general, and
- weaknesses in LastPass's security and privacy.
What to do?
Be (even more) on the lookout for phishing attempts, since attackers now have a list of all your accounts; ensure you fully understand how phishing works and how you can reduce your risk; and become more cybersecurity aware and knowledgeable generally
If the MP on your account (which is the one on your current vault) is weak (or reused), you're at an ongoing risk of attack from the Internet, so:change your MP to a strong one (and don't use for it any password you've ever used before)
If you have TOTP 2FA on your LastPass account, then, based on LastPass's advice:
regenerate your TOTP authenticator's seed, as described here: Regenerate a key for the Google Authenticator in LastPass - LastPass Support -- but Authy is a better choice than Google Authenticator
but if you're using LastPass Authenticator to protect LastPass, move instead to a new TOTP authenticator app, e.g., Authy
If you don't have 2FA on your LastPass account, you're again at an ongoing risk of attack from the Internet, so
turn on 2FA in your account; a good option for most people is TOTP 2FA, such as Authy -- LastPass Authenticator is not a good option :)
If you use LastPass Authenticator, switch all accounts using it to a new authenticator app/service, such as Authy (the best option), Google Authenticator, or Microsoft Authenticator.
This is mandatory (because of the breach) if you had LastPass Authenticator Cloud Backup enabled; if you didn't, it's still highly desirable.
Do not choose the authenticator built into your future new password manager (see below), because you want defense in depth.
If the MP on your breached vault was weak (or reused), your breached vault might be decrypted by an attacker, so:
for every important account in your breached vault that has a weak or reused password and either doesn't have 2FA enabled or (if you think the seeds might have been stolen) uses LastPass Authenticator:
change those passwords to strong and unique ones
(To find weak or reused passwords, use the Security Dashboard tool from inside your LastPass vault. This of course searches only your current vault, not your breached vault.)
The old Password Iterations setting on LastPass accounts was too low, so:
In your LastPass vault > Account Settings > Show Advanced Settings > Password Iterations, change the value to 600,000. (It's a good idea to first do a vault export as a backup just in case something goes wrong with the vault re-encryption that this change will trigger.)
Because all the URLs in your vault were included in the breach, for every important account in your breached vault -- unless you've deleted the account since the breach -- review the URL: it might contain something it shouldn't, like a token or password. If it does, you might want to change the password on the account. You can't know what exactly was in your vault at the time of the breach, so the best you can do is review your current vault. (Added 2023-01-03)
For every important account in your current vault (which attackers now have a list of from your breached vault) that has a weak or reused password, an attacker might be able to figure out the password, so:
change those passwords to strong and unique ones
Note that 2FA does provide additional protection but never rely on it to save you from a weak password
Turn on 2FA for all your accounts that support it, using your new authenticator app/service
Register all your email addresses with the Have I Been Pwned service; it will notify you if any of those addresses is part of a future data breach.
Have I Been Pwned: Check if your email has been compromised in a data breach
Switch to a new password manager, such as Bitwarden (free/paid) or 1Password (paid)
(Note that there's no particular urgency to move off LastPass, as long as you've completed the actions above.)
N.B. The LastPass breach does not mean that password managers, or even cloud-based password manages, are a bad idea: properly used, they are the best mix of security and convenience for managing your ever-growing set of account credentials. (Passwords themselves, though, are inherently insecure but a much better replacement is slowing being introduced, viz. Passkeys.) Yes, Bitwarden and 1Password could be hacked just as happened with LastPass. Your protection – for LastPass, Bitwarden, 1Password, and any other Zero Knowledge / end-to-end encrypted (E2EE) service -- is a strong master password.Don't use your LastPass MP -- either the current one or the one on your breached vault --- for your new password manager! You need to choose a new MP.
Bitwarden and 1Password are highly regarded, are likely better at disclosure of security and privacy breaches, appear to have better security (including internal processes) and encryption, encrypt the URLs in the vault, and have regular third-party audits done. 1Password has a stronger encryption key scheme, viz. its Secret Key. Bitwarden is open source.
1Password's Secret Key can be thought of as some random characters -- roughly 6 -- added behind the scenes to your master password. This provides some additional protection for server-side breaches such as the one that happened to LastPass.
The process is relatively simple: export your LastPass vault then import that data into your new password manager. File attachments don't export with the vault so need to be separately dealt with.
When you're certain that you've moved all your vault data over, delete your LastPass account. If you use LastPass Authenticator, switch all remaining accounts using it to your new authenticator app/service before deleting the account.
For every account in your new password manager vault that has a weak or reused password (at this point only less important accounts should remain), unless it's truly unimportant:
change those passwords to strong and unique ones
What's weak vs. strong?
Weak and strong are not black and white, and there are many different views on the subject, but you could start with these very, very, very rough ideas -- just my guesses -- about whether a password is "weak" or "strong". There are of course many possible caveats, special cases, and exceptions. Tweak these ideas as you see fit.
For regular cloud account passwords, weak could mean, at a bare minimum:
the password looks reasonably random (and with at least 3 of lower case, upper case, digits, and symbols) but is less than 12 characters long, or
the password does not look reasonably random and is less than 15 characters long
For your password manager MP, which is protecting information of higher sensitivity than your other cloud accounts, weak could mean, at a bare minimum:
the password looks reasonably random (and with at least 3 of lower case, upper case, digits, and symbols) but is less than 17 characters long, or
the password does not look reasonably random and is less than 20 characters long
How to create a strong password or MP?
The above is for the case where you are evaluating the strength of an existing password in order to decide whether to change it. But when you are creating a new password, you probably want it to be much stronger than the above:
For regular cloud accounts, simply use the password generator built into your password manager: have it generate a random password using all 4 of lower case, upper case, digits, and symbols, and of length, say, 30 characters. Choosing a randomly-generated password of that length essentially guarantees that it is unique, i.e., not reused.
For your new password manager MP, you need something strong enough but also very memorable, which can be a challenge. Here is my favorite algorithm: make up a long story you won't forget (maybe something that happened to you, that you did, that you want to do, etc.), add some punctuation, take the first letter of each word, and do some substitutions of several of those letters into digits and symbols. This should give you a MP that is long and looks reasonably random, but which you won't forget (after a bit of practice). I suggest 20 characters as a bare minimum, but more is better, and the more random it looks, the better too. Try to use uncommon letters and uncommon symbols, e.g., not punctuation.
(This algorithm is derived from: Essays: Passwords Are Not Broken, but How We Choose them Sure Is - Schneier on Security, 2008)
