Users Beware: LastPass Has Been Compromised; What Should You Do?

LastPass, the password manager that saves, stores and organizes users' passwords and login credentials, has been compromised, and users must take necessary measures to safeguard their funds.

Reports from various media outlets have claimed over the past few days that LastPass, one of the world's most popular password managers, has been compromised and that crypto users are at grave risk.

The security incident, which was reportedly announced on Nov. 30 and is said to have stemmed from an earlier attack that took place in August, is a lot more damaging than initially reported, with malicious actors taking possession of users' password vaults, according to LastPass.

"No customer data was accessed during the August 2022 incident," LastPass CEO Karim Toubba said, as per a recent update in a company blog post. However, "some source code and technical information" were stolen and utilized to spear-phish a LastPass employee. This allowed the attackers to get access to credentials and keys that were then used to "decrypt some storage volumes within the cloud-based storage service."

In a previous update, LastPass noted that "[t]he threat actor gained access to the Development environment using a developer's compromised endpoint. While the method used for the initial endpoint compromise is inconclusive, the threat actor utilized their persistent access to impersonate the developer once the developer had successfully authenticated using multi-factor authentication."

Given the current situation, LastPass users must take the necessary steps to safeguard their accounts.

A Twitter user who goes by the handle @udiWertheimer suggested that people stop using the app and move their assets to a new wallet. The Twitter user believes that simply changing the master password will not help, as there is a high possibility that the attackers already have a copy of a user's vault and their copy is unlockable with the user's old password.

"Take care of urgent accounts first, manually, then set up a new password manager," the Twitter user noted, adding that users should "move your crypto assets to new wallets."

The Twitter user also mentioned that those with seed phrases on LastPass should "generate new wallets, write the seed phrases on a piece of paper ONLY and move all your assets to the new wallets," explaining that "if the attacker has access to your seed phrases, they can take your assets at any time and you can't reverse that."

The Twitter user also said that users should change their passwords on crypto exchanges as well as on their email, Apple iCloud and Google accounts.

"Change your passwords on crypto exchanges and other financial stuff. Write down passwords on paper for now. Use a different password for each exchange. Turn 2FA on, and make sure the 2FA code isn't stored inside LastPass. If it was, remove 2FA and set it up again on another app," he said.