If you are a LastPass customer: Assume your master password and any weak or reused passwords stored in LastPass may be compromised. The recommended action is to change all high-value passwords stored in LastPass, starting with financial accounts, email, and business-critical systems.

ThreeShield Video Briefing

ThreeShield's LastPass breach briefing video — covers what happened, the real risk, and which passwords to change first.

▶ Watch: LastPass Breach Briefing

Opens ThreeShield's HippoVideo briefing in a new tab

What Happened

LastPass experienced two related breaches in 2022. In August 2022, attackers accessed LastPass developer systems and stole source code and technical information. LastPass initially stated that no customer data was accessed. In December 2022, LastPass disclosed that attackers had used the information from the August breach to access a third-party cloud storage service and obtain copies of customer password vault backups.

The stolen vaults contained both encrypted and unencrypted data. Encrypted fields include usernames and passwords. Unencrypted fields include website URLs - meaning attackers know exactly which sites your passwords are for, even before cracking the encryption.

The Real Risk: Offline Vault Cracking

Encrypted vaults can be attacked offline - attackers don't need to interact with LastPass systems to try to crack them. They can throw significant computing resources at guessing your master password without any lockout or rate limiting. A weak or short master password may be crackable in hours or days. A strong, unique master password that was not used elsewhere is significantly more resistant.

What to Do

  1. Change your LastPass master password - use a long, unique passphrase not used anywhere else
  2. Change passwords for your highest-value accounts immediately - banking, investment accounts, email (email recovery chains give access to everything else), and business-critical systems
  3. Enable MFA everywhere - MFA means a cracked password alone cannot compromise your account
  4. Consider migrating to a different password manager - Bitwarden (open source, independently audited) is a widely recommended alternative
  5. Monitor for unusual account activity - particularly on financial and email accounts over the coming months

ThreeShield's managed clients received proactive guidance on this breach and had their exposure assessed as part of ongoing monitoring. Lavawall® includes dark web credential monitoring - alerting when your team's email addresses appear in new breach databases.