scorecardresearch Skip to main content

LastPass security breach was worse than you’ve heard. Here’s what to do.

Computer code and text displayed on computer screens.Bloomberg Creative Photos/Bloomberg Creative

If you rely on the popular password manager LastPass, you might want to start changing your passwords. Right now.

Just before Christmas, LastPass chief executive Karim Toubba posted a message on the company’s blog announcing that a security breach first reported last summer was a lot worse than users had been led to believe.

In August, the company said intruders gained access to the computer systems used by the company to maintain and update its software. “We have seen no evidence that this incident involved any access to customer data or encrypted password vaults,” Toubba wrote at the time.


But now, LastPass is singing a different tune. In a December 22 posting, Toubba said the attackers had also managed to steal an employee’s login credentials, thereby gaining access to “basic customer account information and related metadata including company names, end-user names, billing addresses, email addresses, telephone numbers, and the IP addresses from which customers were accessing the LastPass service.”

Worse yet, the intruders were also able to steal the customers’ “vault data” — the encrypted files containing passwords and other sensitive data stored by LastPass’ 33 million subscribers.

It’s not all bad news. Because LastPass stores vault data in encrypted form, those who stole it can’t easily read it, at least not right away. But they can use password-cracking programs to try and guess the master passwords for each vault. And with the information in their possession they can take their time, testing one set of digital locks after another like a burglar rattling doorknobs. Whenever they succeed, they’ll have full access to any information inside, including credit card numbers, bank account data, or medical records.

Last week in Boston federal court, LastPass was hit with a lawsuit related to the breach. A plaintiff identified as “John Doe” claims criminals have used the stolen data to break into his LastPass account and steal his private Bitcoin keys, worth $53,000.


What’s a LastPass user to do? Change the locks. First, create a new master password. Next, change every other password you’ve stored in LastPass. If that’s too much trouble, at least change the ones that really matter, like those for your e-mail, social networks, financial accounts, medical records, and the like.

LastPass has suffered multiple security breaches over the past decade, including incidents in 2011 and 2015, as well as software bugs that exposed user data to possible theft. But this most recent incident could lead consumers to switch to rival password managers, such as 1Password or Bitwarden.

LastPass did not respond to multiple requests for further information. Its Boston-based parent company, GoTo, is in the process of spinning off LastPass as a separate enterprise.

Hiawatha Bray can be reached at Follow him @GlobeTechLab.