Change your LP password and make sure MFA is enabled. No, these won't help with already-stolen credentials. Yes, these will help with your newly changed or added accounts, if you're still using LP.
Secure with MFA any email that can be used to reset passwords. Do the same for other key accounts, like banking and accounts with organizations that have your CC #. I can't think of a site that would store your SSN and then show it to you, but if there is such a thing include it in your "must have MFA" list. If you have accounts that control DNS records, store client information, or count as official channels of communication (this often goes well beyond email) they are top priority, too.
For the rest, if you have few enough passwords and enough time, your idea sounds like it could help.
Thanks. I think if they had accessed anything I would have known about it by now. But after I've gone through and changed passwords I'll just check everything I can (like Google for example) for logins that I don't recognize. FUCK and these bastards still have #1 password manager on their website the absolute fucking gall. I'm being redundant everyone has already bitched enough for me.
Bitching actually helps, I think. That said, by what logic would they take down the #1 password manager marketing? It might be more concerning if they did.
To me, the serious issues lie in other action (and inaction) on their part.
Stop reading what I'm writing and get to it!
Ensure you have locked down your email accounts like a fortress. If someone is working their way through your online accounts, your email is going to be key to regaining access.
If they get into your emails you're fucked. This happened to me years ago and they got into everything
You need to changed you master password. If they crack your vault they now have access to your new vault until you change it.
Edit:
I agree with the commenters. Swap to another password manager (I’m very happy with 1Password), transfer over. Change all your passwords in 1P and delete your LP account.
Yes. Lying, which is what I understand they have done, is unacceptable. I was in the 100100 iterations camp. Can't imagine how the 500/5000 people are doing
As they suggested:
1. Export your LP passwords and import it in a different password manager (1Password, Bitwarden,…)
2. Start changing all your passwords from the most important ones: Bank/Financial, Emails, Job Related.
3. Enable MFA/2FA where possible.
4. Delete your LP account.
Even if you are not being compromised, I don’t think you feel safe to trust LP anymore. I don’t.
i agree to all steps above. the only thing i did different as i wasnt thinking thorously obviously i changed all my pw's in the LP vault and then migrated over. the master pw was already changed.
would you now advice to make another rotation from passwords ? at least from the most important ones ?
You should probably send me to Hawaii to check it out, make sure everything is ok.
While I'm doing that, set a new LP Master Password, open an account with 1Password, export from LP, import into 1P, rotate your passwords, close down your LP account.
They got into my vault and I had a 14 character password. Lastpass failed categorically. Change your master password, enable two factor and go through every account in your vault and change the passwords ASAP
They got me too. On the 30th November, the same date as the last hack, someone stole my entire mycelium Bitcoin wallet. The only place I kept my 12 words were Lastpass. I learnt a very hard lesson, future words will be kept in a cold wallet
I don't know for certain, but I'm pretty confident. Somebody got my bank account numbers and stole about $1500 from me, then someone tried to log into my Venmo, somebody locked me out of one of my utility providers website.
And the final straw for me was when lastpass emailed me that someone tried to log into my lastpass vault with my master password. But I had 2FA on so they didn't get in.
Yes it the proxy extension I use has a default option which will choose what's available. Also it stays on and I forget turning it on. You're most likely correct.
Be careful - think this through - before enabling 2FA (OTP) on your 1P vault.
Unlike LastPass, 1P has no 'go around' for situations like Trusted Contacts to use if you are deceased. If your phone (i.e. 2FA code generator) ever gets destroyed, 1P has no way past it - your vault is now a bricked BLOB.
I find that keeping the typed-in password separate (never in the same room simultaneously, like Bruce Wayne and Batman) provides sufficient peace-of-mind, since escrowing 2FA key(s) is not quite as easy as it should be.
What makes you think someone will focus alot of cracking power on your account? Are you famous? Do you have alot of crypto urls in your vault?
The dump that was stolen contains Alot of vaults and Noone will go after a random vault.
Because as far as I understand it, the verification process for cracking doesn't require any leg power. Which means inevitably every single acct will be cracked simply , and I cannot verify the amount of power that will take. I'm hearing varying answers on how much it will cost based on password strength.
Listen to 'security now 305' , steve Gibson explains how long it takes to Crack one vault. If your iteration count wasn't set to 1,it will take months of 24/7 work for 200 GPUs to Crack a singe vault. If you have a good password it will take several lifetimes!
If you have a crappy password and are for some reason targeted, then you should change your password, otherwise you are fine.
Noone will Crack vaults that aren't high value.
Change your LP password and make sure MFA is enabled. No, these won't help with already-stolen credentials. Yes, these will help with your newly changed or added accounts, if you're still using LP. Secure with MFA any email that can be used to reset passwords. Do the same for other key accounts, like banking and accounts with organizations that have your CC #. I can't think of a site that would store your SSN and then show it to you, but if there is such a thing include it in your "must have MFA" list. If you have accounts that control DNS records, store client information, or count as official channels of communication (this often goes well beyond email) they are top priority, too. For the rest, if you have few enough passwords and enough time, your idea sounds like it could help.
Thanks. I think if they had accessed anything I would have known about it by now. But after I've gone through and changed passwords I'll just check everything I can (like Google for example) for logins that I don't recognize. FUCK and these bastards still have #1 password manager on their website the absolute fucking gall. I'm being redundant everyone has already bitched enough for me.
Bitching actually helps, I think. That said, by what logic would they take down the #1 password manager marketing? It might be more concerning if they did. To me, the serious issues lie in other action (and inaction) on their part. Stop reading what I'm writing and get to it!
Ensure you have locked down your email accounts like a fortress. If someone is working their way through your online accounts, your email is going to be key to regaining access. If they get into your emails you're fucked. This happened to me years ago and they got into everything
Thankfully Google tells me when someone is accessing the account so I know for a fact it's safe.
You need to changed you master password. If they crack your vault they now have access to your new vault until you change it. Edit: I agree with the commenters. Swap to another password manager (I’m very happy with 1Password), transfer over. Change all your passwords in 1P and delete your LP account.
No, the answer is to completely shut down your lastpass account, never give them any credentials ever again.
make sure you export all your passwords first... and then change them all after moving from lastpass
Yes. Lying, which is what I understand they have done, is unacceptable. I was in the 100100 iterations camp. Can't imagine how the 500/5000 people are doing
There are people who have it set to 1, probably due to being OG users from 2010~ and never knowing they have to change it themselves.
Thanks, that's what I've been reading.
You're fine. Leave Lastpass. But you're fine lol. I'm betting you just forgot.
Forgot what? But yeah I just let slings like this slide. Childish procrastination
As they suggested: 1. Export your LP passwords and import it in a different password manager (1Password, Bitwarden,…) 2. Start changing all your passwords from the most important ones: Bank/Financial, Emails, Job Related. 3. Enable MFA/2FA where possible. 4. Delete your LP account. Even if you are not being compromised, I don’t think you feel safe to trust LP anymore. I don’t.
i agree to all steps above. the only thing i did different as i wasnt thinking thorously obviously i changed all my pw's in the LP vault and then migrated over. the master pw was already changed. would you now advice to make another rotation from passwords ? at least from the most important ones ?
Yes! I don't think LastPass deletes your vault in all their backups.
You should probably send me to Hawaii to check it out, make sure everything is ok. While I'm doing that, set a new LP Master Password, open an account with 1Password, export from LP, import into 1P, rotate your passwords, close down your LP account.
Haha the tickets are the mail. To Hawaii, you have to get a flight and go pick them up. Come back and then you can go.
They got into my vault and I had a 14 character password. Lastpass failed categorically. Change your master password, enable two factor and go through every account in your vault and change the passwords ASAP
They got me too. On the 30th November, the same date as the last hack, someone stole my entire mycelium Bitcoin wallet. The only place I kept my 12 words were Lastpass. I learnt a very hard lesson, future words will be kept in a cold wallet
The hack didn't happen on November 30th.
There was a second hack.
There was a firefight.
How did you find out?
I don't know for certain, but I'm pretty confident. Somebody got my bank account numbers and stole about $1500 from me, then someone tried to log into my Venmo, somebody locked me out of one of my utility providers website. And the final straw for me was when lastpass emailed me that someone tried to log into my lastpass vault with my master password. But I had 2FA on so they didn't get in.
I have my doubts that this access is related to the recent breach. Chances are attackers are going after high value targets first
And even then, we haven't seen anything related to high value targets because of LP's breach.
Yes it the proxy extension I use has a default option which will choose what's available. Also it stays on and I forget turning it on. You're most likely correct.
Be careful - think this through - before enabling 2FA (OTP) on your 1P vault. Unlike LastPass, 1P has no 'go around' for situations like Trusted Contacts to use if you are deceased. If your phone (i.e. 2FA code generator) ever gets destroyed, 1P has no way past it - your vault is now a bricked BLOB. I find that keeping the typed-in password separate (never in the same room simultaneously, like Bruce Wayne and Batman) provides sufficient peace-of-mind, since escrowing 2FA key(s) is not quite as easy as it should be.
Yeah2 FA has screwed people over on youtube for example. I keep the password around and nobody finds it or if they do, don't know I use a pw manager
What makes you think someone will focus alot of cracking power on your account? Are you famous? Do you have alot of crypto urls in your vault? The dump that was stolen contains Alot of vaults and Noone will go after a random vault.
Because as far as I understand it, the verification process for cracking doesn't require any leg power. Which means inevitably every single acct will be cracked simply , and I cannot verify the amount of power that will take. I'm hearing varying answers on how much it will cost based on password strength.
Listen to 'security now 305' , steve Gibson explains how long it takes to Crack one vault. If your iteration count wasn't set to 1,it will take months of 24/7 work for 200 GPUs to Crack a singe vault. If you have a good password it will take several lifetimes! If you have a crappy password and are for some reason targeted, then you should change your password, otherwise you are fine. Noone will Crack vaults that aren't high value.