Skip to content Skip to sidebar Skip to footer

March 10, 2023

As a fan and long-time user of LastPass, I was alarmed by the latest LastPass hack. But what exactly happened, and what does it mean for users like you or me?

What Happened

In a nutshell, LastPass suffered a security breach that exposed some user data, including billing and email addresses, end-user names, telephone numbers, and IP address
information. LastPass has 30 million users. It claims that only 3% of them have been seriously impacted, and that it has been working with those users to maintain security.

Three percent might not seem like a lot, but this is bad news.

Should You Be Concerned?

Yes, of course you should be. LastPass has written a couple of blog posts reassuring its customers, but I think some healthy skepticism is in order.

While LastPass uses high level encryption and a “zero knowledge” system, the reality is that the hackers now may have encrypted master passwords and potentially access to your whole

Zero knowledge is a term used to describe a system where the service provider doesn’t have access to the plain text version of your usernames and passwords.

Instead, they used encryption and decryption processes that were managed solely by the user’s device, making it extremely difficult for anyone, including LastPass employees themselves, to
access the passwords. Said another way, LastPass does not have access to the actual passwords stored in its system; only the user does.

This doesn’t mean stolen encrypted data is safe. Arguably the villain here could use “bruteforce” to guess your passwords. This will take anywhere from half an hour and $100 to millions
of years (no exaggeration, this is the range of times provided by various sources).

What is the Likely Impact of the LastPass Hack?

The impact of the LastPass hack will vary from person to person. It’s not worth the gamble that it’ll take a million years to hack your account(s), so it’s wise to make adjustments now.

Your best defense? A good offense.

What Do You Do Now?

Given that we don’t know what the impact will be, it is important to take steps to protect yourself
after a hack.

Take these actions:

1. Change your master password. It should be 16 characters long or longer. Do not use any identifying information in it (name, address, SSN, etc.). Opt for a phrase, like a
favorite movie line. Use odd variations on words.

2. Use two-factor authentication. You should have turned this on a long time ago. Before you get into your vault you should have to use your phone or a code to verify it’s you. I
know this is a pain. Get used to it. It’s the way of password security going forward. If you’re using biometric identification (thumbprint, facial recognition), this will go faster.

3. Use a password on your phone.

4. Change your passwords on highly sensitive accounts – banking, credit cards, insurance, health care, social media, tax information, document vaults, etc. Use LastPass to create
passwords for you so that you create unique, strong ones.

5. Monitor your accounts for suspicious data.

6. Consider changing password vaults.


Do I Still Recommend LastPass?

Sadly, no, because that would just make me look stupid.

However, I believe that hacks like this are humbling not only for the victim company but for all the password managers out there. Password managers will likely be stronger than ever.
I remain a fiercely strong advocate of having a password manager for many reasons but they all come down to this: They protect us from ourselves. We use better passwords, we use two factor authentication, we don’t repeat passwords, we don’t share passwords in an unsafe way, and we can use them to transfer information in the event of incapacity or death.

The truth is that I will probably stay with LastPass for now, try out a new password manager, and if I like the new one, I will probably migrate everything. I have over 300 entries in my
LastPass, many of which are old or useless. It’ll take me a while to migrate, but I’m all about purging no longer needed items.

Understand, however, that I actually do use “good password hygiene.” My master password is 18 characters long, is written down nowhere, and shared with no one. I change all my work related passwords every 90-180 days. I change my banking passwords about once a year. I use two-factor authentication on every account in which it is offered to me. I look at every single
banking transaction – personal and business – at least once a month. I use a credit report service to monitor my credit.

Yes, it’s a pain and takes up time. Yes, it’s totally worth it.
If you are not doing all these things, then you need to take action sooner and build some new habits.

How To Protect Against a Future Hack?

Do all those things I mentioned above:
1. Use a password manager.
2. Use strong, unique passwords,
3. Use two-factor authentication.
4. Use a password on your phone.
5. Change your passwords when needed.
6. Monitor your accounts for suspicious activity.

By doing these things, you can ensure that your online accounts are secure and protected against unauthorized access. I’ve been talking to people about their money for over 25 years. I have only had to start talking about identify theft and fraud in the last five or so. It’s a serious financial self-care topic now.
Please don’t ignore it.

If you need encouragement around password vaults, don’t hesitate to reach out.

Lanning Financial Inc. is a registered investment adviser. Information presented is for educational purposes only and does not intend to make an offer or solicitation for the sale or
purchase of any specific securities, investments, or investment strategies. Investments involve risk and unless otherwise stated, are not guaranteed. Be sure to first consult with a qualified financial adviser and/or tax professional before implementing any strategy discussed herein. Past performance is not indicative of future performance.


Your partner for financial peace and clarity

Join Our Email List

By submitting this form, you are consenting to receive marketing emails from: Lanning Financial. You can revoke your consent to receive emails at any time by using the SafeUnsubscribe® link, found at the bottom of every email. Emails are serviced by Constant Contact

admin [at]

By appointment only:
100 Pine Street, Suite 1250
San Francisco, CA 94111

Disclosure – Lanning Financial Inc. is a Registered Investment Adviser. Advisory services are only offered to clients or prospective clients where Lanning Financial Inc. and its representatives are properly licensed or exempt from licensure. This website is solely for informational purposes. Past performance is no guarantee of future returns. Investing involves risk and possible loss of principal capital. No advice may be rendered by Lanning Financial Inc. unless a client service agreement is in place. / Lanning Financial Inc. provides links for your convenience to websites produced by other providers or industry related material. Accessing websites through links directs you away from our website. Lanning Financial Inc. is not responsible for errors or omissions in the material on third party websites, and does not necessarily approve of or endorse the information provided. Users who gain access to third party websites may be subject to the copyright and other restrictions on use imposed by those providers and assume responsibility and risk from use of those websites.

2024 © Lanning Financial Inc. 

Copy Protected by Chetan's WP-Copyprotect.