LastPass/GoTo Hack Response
LastPass/GoTo Hack Response: a reader asks…
I received an email from Lastpass advising me (a user of LastPass) that their system had been hacked. Can you give me your thoughts on this and advice about what I should do? Should I switch password managers?
I too received that notice and another one from Goto (the parent corp). While I treat all cyber incidents seriously, I’m not overly concerned, and am not planning on making any changes at this time. I’d recommend you don’t either.
LastPass is configured so that the contents of their cloud storage (where all customers’ vaults are held) is encrypted multiple times. Your vault is encrypted by you and your devices when sent to (and received from) the LastPass servers, and you are the only one with the encryption keys to your vault. LastPass doesn’t have those encryption keys, so your data cannot be hacked – the most hackers would get is unintelligible gibberish. LastPass adds another layer of encryption on top of yours and mine, and that layer of encryption is potentially hackable if the hacker had inside access to LastPass. However, even if that was hacked, it wouldn’t yield any customer data (other than perhaps our email addresses).
What might be a result of this hack attempt is that the hackers could, once again, have a list of LastPass’s customers’ email addresses – yours and mine included. The worst outcome would be more spam in your inbox, possibly including phishing attempts to get you to do something unsafe. Maintaining wariness about anything coming in via email or text is your best defense. I must reiterate – email is inherently unsafe for critical communications, and SMS text messaging is not much better.
Your LastPass account is as secure as you make it. Good practices include having a long and un-guessable master password, not sharing your LastPass account and login credentials with anyone, memorizing that master password and not writing it down anywhere, and practicing safe computing (not letting your computer get hacked). Never give anyone you don’t know (in the real world) and explicitly trust access to your computer, whether in person or remotely. Don’t click on popups indiscriminately, don’t install apps on your computer or smartphone indiscriminately, and never give remote control of your computer to anyone (except maybe me for my clients :).
If you want to (out of an abundance of caution) you could change your LastPass master password. That means logging into your LastPass vault from one of your devices (smartphone or tablet app, computer browser extension or app) and going into the settings. That master password is only known on your devices, the LastPass app and browser extensions encrypt the password so a unique one-time key is sent to LastPass servers each time you access your vault online.
A good master password is very long (e.g., over 20 characters), and not easily guessable. I like to make up a sentence and use the first letter of each word, and substitute a letter or special character for certain words. Here’s an example:
I certainly hate those hackers who keep trying to get into my accounts! I wish they would just die (Ich8thwkt2gima!Iwtwjd)
I’m waiting to see if LastPass sends another email out suggesting a password change before I change mine – that’s probably not needed for this intrusion. But there’s nothing wrong with changing your master password, so long as you remember the new one!
This website runs on a patronage model. If you find my answers of value, please consider supporting me by sending any dollar amount via:
or by mailing a check/cash to PosiTek.net LLC 1934 Old Gallows Road, Suite 350, Tysons Corner VA 22182. I am not a non-profit, but your support helps me to continue delivering advice and consumer technology support to the public. Thanks!