By clicking a retailer link you consent to third-party cookies that track your onward journey. If you make a purchase, Which? will receive an affiliate commission, which supports our mission to be the UK's consumer champion.
LastPass hit by major data hack: what you need to know
LastPass, the popular service for managing various passwords, has confirmed a major data hack by an 'unknown threat actor' that has put customers' data at risk.
If you currently use LastPass, the company says you should review your master password: the one that protects your online vault containing all your other stored passwords.
If you suspect that your master password is weak or insecure, LastPass advises that you change it immediately, and also change all the individual passwords you've got saved in your LastPass vault.
Best antivirus software – comprehensively tested software, including free antivirus, for safeguarding your PC or Mac from malware, viruses and other threats.
Treasure trove of user data exposed in the LastPass attack
In August 2022, LastPass reported that a hacker had accessed one of its cloud-based storage environments. It now materialises that the attacker used this to steal software code and technical information.
In November, the attacker used their stolen information to target a LastPass employee and in turn steal login credentials, enabling them to access more customer data.
The stolen 'basic customer account information', as LastPass describes it, includes usernames, billing addresses, email addresses, telephone numbers, and IP addresses used to access LastPass.
The hack also included a copy of other customer data, including browsed websites, usernames and passwords, secure notes and data used to auto-fill online forms.
All this information would be very valuable to a cybercriminal in building up a picture of an individual in order to target them for identity theft, blackmail and other types of scam.
Don't get caught out by the latest scams - sign up to our free Scam Alerts service
Wow, that sounds bad...
It does indeed, but LastPass has said that this information can only be decrypted – turned into a format that a person can actually read – if the hacker can get a unique encryption key derived from each user’s master password.
LastPass does not know users' master passwords and they are not stored or maintained by LastPass. If you're a LastPass user, only you know your master password. The company describes this as its 'zero knowledge architecture'.
However, if you have set an easily crackable master password, you could be at risk of a cybercriminal breaching your password and decrypting the stolen data.
Tech tips you can trust - get our free Tech newsletter for advice, news, deals and stuff the manuals don’t tell you
What to do if you're a LastPass customer
First of all, don't panic. But do check your LastPass master password.
Alongside the mandatory 12-character length imposed by LastPass in 2018 (if you were an earlier user, you may still have a shorter password), your master password should have been made sufficiently complex using an established password creation method - see our guide on how to create secure passwords.
Your password should not be reused elsewhere, in case it's compromised in a separate data breach. If that happened, it could then be used to target your account in what's known as a 'credential stuffing' attack.
LastPass said in a blog post confirming the attack that for anyone using a secure password creation method, 'it would take millions of years to guess your master password using generally available password-cracking technology'.
It continued: 'Your sensitive vault data, such as usernames and passwords, secure notes, attachments, and form-fill fields, remain safely encrypted based on LastPass’ Zero Knowledge architecture. There are no recommended actions that you need to take at this time.'
However, the company added that, for those who hadn't created a secure master password, this would 'significantly reduce the number of attempts needed to guess it correctly.
'In this case, as an extra security measure, you should consider minimizing risk by changing passwords of websites you have stored,' LastPass added.
The company also warned that customers may be targeted with phishing attacks, so do be on your guard. Particularly if you're asked for your master password, as the company has said: 'Other than when signing into your vault from a LastPass client, LastPass would never ask you for your master password'.
LastPass said that it has contacted 'law enforcement and relevant regulatory authorities' about the incident.
See all of our free advice on how to protect yourself against scams.
Is it safe to use a password manager?
Despite this data breach, using an online password manager is still safer than not using one. We all have lots of online accounts, and juggling various different passwords is hard.
Password managers are a convenient and secure way to do that. But that doesn't mean it has to be LastPass that you use.
There are other services out there, such as Dashlane and 1Password, that are also worth considering. You can find out more on their respective websites - Dashlane and 1Password.
Originally published 29 December 2022. Story updated 4 January 2023
