Viewing a single comment thread. View all comments

Useless_Advice_Guy t1_j1fxrds wrote

Is it still an issue if I have 2fa?

2

OppositeCode t1_j1g14xm wrote

From a privacy standpoint, you should change passwords (especially your master password). The hackers have the URLs for accounts of LastPass users (as it wasn't encrypted). So it is recommended to change passwords for "important accounts" (emails, financials, etc).

You can then slowly go through your other passwords and change them. Like the next time you visit the site. Also don't use LastPass any longer, if you want to keep using a cloud based password manager, I recommend Bitwarden for free users.

3

Flashbulb_RI t1_j1gparw wrote

I'm really angry that LastPass was not encrypting EVERYTHING in the user vaults including URLs because LastPass says on their website "Data stored in your vault is kept secret, even from LastPass." However from a practical point of view I wonder if the hackers can identify the email address/identity of the vault owner. Without that info the URLs are not useful.

6

DrQuantum t1_j1g14v8 wrote

Yes and no, you need 2fa on the accounts in your Lastpass. But the encrypted fields in your account are exposed. They can crack the master passwords and then have your others. If you have a strong password, like complex 14-16 characters or more it will take brute forcers a very long time to get in.

But everyone with Lastpass should reset their master password regardless and just in case everything in it if they must stay with last pass. But really at this point they should move off the platform.

2