If you haven’t heard, the popular password manager LastPass has been breached. That means that if you use LastPass, or have ever used LastPass, then your passwords and other data are at risk. If you still use any of the passwords that were stored in LastPass as of a few months ago, you’ll need to stop using them ASAP, because those passwords might now be in the hands of hackers.
To be clear, the passwords were not directly stolen by the hackers. The passwords were still encrypted with your master password, and if that master password was a long secure one, then you might be safe… at least for a little while. Without getting into too much computer jargon, let’s just say that it can take anywhere from hours to years for hackers to “crack the code” on your password vaults. It depends on how secure your master password was.
If your LastPass master password was very weak, like “123qwerty”, “snoopy1982”, “p@ssword!”, or something else short or containing words/names, the hackers are going to break into your account first (if they haven’t already). You seriously need to drop whatever you’re doing and take the actions recommended in this article ASAP. The hackers are harvesting more account passwords every day, and they might have all of yours any minute now.
Can you imagine what would happen if a criminal took over your email account? Or if you lost access to all your family photos? Or if all of your money was drained from your bank and retirement accounts?
You might be able to get some of that stuff back. But maybe not. And even if you do, it can mean years of headaches and worry, especially if you’re dealing with identity theft. So why not take a couple hours to get more secure? Yes, it will be annoying, but it’s better than dealing with the alternative.
Even if your master password was more secure, like “Ocean-Govern-Extreme-Tree-15” or “9U7UCr3%NrC&ig5mPZRe”, I still highly recommend that you take the precautions mentioned in this article, including switching to a new password manager and changing out your old passwords. Just changing your LastPass password isn’t enough—that’s like locking the barn door after the horses have already been stolen. Here’s what you actually need to do.
Actions to take
Here’s what I recommend:
- Get a new password manager (I recommend Bitwarden; it’s free and secure).
- Generate a NEW password for it, different from any password you have ever used. Use a password generator to ensure that it’s secure.
- Keep that master password written down until you have it memorized.
- Get the Bitwarden app/extension.
- Export your LastPass passwords to a local file. (Most other passwords managers allow this too)
- Import your LastPass passwords into Bitwarden.
- Uninstall the LastPass extension from your browser/phone.
- Change your passwords on all of your most important accounts, updating them in Bitwarden. Do NOT update them in LastPass!
Eventually, you can move on to changing the passwords on your less-important accounts, but that can wait for another day. Do the 6 steps above ASAP.
If you’re not sure exactly how each step works, here’s a guide with more detail:
1. Set up Bitwarden
Create a Bitwarden account. That includes setting a master password. This password grants access to all of your other passwords, so it needs to be really secure. Do NOT use the same password here as on any other site/account!
I recommend generating a new password on this website:
Remember to write down the password, preferably in multiple locations. Hide the papers somewhere, and don’t write down that it’s for Bitwarden, just in case someone finds it.
You’ll need to keep the written versions until you have it memorized. Only destroy the written versions once you’re SURE you have the password memorized. There is no “forgot password” button for password managers (for security reasons).
2. Get the Bitwarden app/extension
On your phone, I recommend using the Bitwarden app. For computers, I recommend the browser extension, e.g. for Chrome, Safari, Firefox, etc. You can download everything here:
The browser extension will let you fill in password fields with the click of a button; just click the Bitwarden icon in your extensions area (upper right of browser), then click the credential you want to use (if you only have one account, only one credential will appear). You can also enable automatically filling in user/password fields under “Settings”, then “Options”, then “Auto-fill on page load”.
The app can do the same: you’ll want to enable the autofill features by going to “Settings”, then “Auto-fill services”, and enabling “Auto-fill service”, “Use inline autofill”, and “Use accessibility”. Grant the permissions it asks for. Then a Bitwarden button will appear above your keyboard when you’re at a user/password field. Just click on it, and it will fill in your credentials!
3. Export LastPass passwords
Simply log into to lastpass.com, select “Advanced Options”, and then “Export”. Check your email to confirm if it asks you to. If it succeeds, it will have downloaded a file like “lastpass_export.csv”.
Note that most other common password managers allow exporting too, so you can follow this guide even if you don’t have LastPass. You can even export from your browser, in case you have passwords stored in Chrome or something.
4. Import those passwords into Bitwarden
Log into bitwarden.com, go to “Tools”, then “Import data”. Select “LastPass (csv)” from the dropdown, and then upload the “lastpass_export.csv” file you got in the last step. Then go to your “Vault” and you should see all of your website logins!
Remember to delete the “lastpass_export.csv” file when you’re done! And empty the Trash/Recycle Bin too; that export was unencrypted, so you don’t want it just hanging around.
5. Remove LastPass
Just remove the app (from the app store) and/or browser extension (from the browser settings) . Make sure to cancel your subscription too, if you have the premium version!
Optionally, you can delete your LastPass account. The data was already hacked once, but deleting it might help prevent it from being hacked again by a different group of hackers! Even if you change your passwords, LastPass still has lots of your personal info.
6. Change your most important passwords
6A. Figure out your most important accounts
Because you transferred all of your credentials to Bitwarden, you can just open the Bitwarden Vault and review all of sites in the list. If you are having trouble navigating Bitwarden, try out these “getting started” videos.
I recommend creating a new text document (e.g. Word, Google Docs, etc.) and opening it side-by-side with Bitwarden. As you go through the vault and find important sites, add them to the text document near the top (for “top priority”). You can also create a second list for “second priority” sites.
Your “top priority” list should include:
- Email accounts (most important, since you can reset most account passwords via email)
- Phone provider
- Financial institutions, including banks, Venmo/PayPal, or anywhere you have retirement accounts, investments, or credit cards with.
- Anything that provides access to sensitive information, e.g. government websites (IRS, SSA, DMV, etc.), tax preparers, healthcare and insurance sites, etc.
- Important social media accounts
- Communication apps, including Discord, Slack, etc.
- Important company/work sites, including VPN passwords
- Any sites where you may have stored payment info or personal info, e.g. Amazon, travel sites, etc.
- Any sites that otherwise store important data or backups, e.g. iCloud/Apple, Dropbox, notes/todo apps, etc.
Your “second priority” list might include:
- Security system and/or security camera access, if applicable
- Other services that you subscribe to, e.g. Spotify, Netflix, etc.
- Shopping/travel websites that you don’t have saved payment info for
- Utility accounts, library accounts, etc.
- Any other site/service that you would be upset about losing access to
You should change everything on your high-priority list ASAP. Like within a day or two. Your second-priority list can probably wait a little longer, but I’d try to get to them within a few weeks. For the rest, you probably don’t care about them very much, so you may never bother changing the passwords on them. Hackers might not want them either, and even if they do hack it and you lose the account, you can just make another one. Or you can just change them the next time you happen to log in, perhaps. Up to you.
6B. Change those passwords!
Go through the list in order of priority, changing passwords for each site/service. Cross them out on your list when you finish, so you can keep track of which ones are done.
Just go to the site, and when you reach the login page, Bitwarden should auto-fill for you (like we set up in section 2, earlier). If it doesn’t, you might have to unlock your vault first; it will lock itself occasionally as a security feature. Just open the Bitwarden app or extension and enter your master password. Sometimes you might also have to manually select the credential to fill, particularly if you have multiple accounts with the same website.
Once you’re logged in to a site, find the page to change your password. Bitwarden might fill in both the “old password” and “new password” fields, but this isn’t a big deal; just delete what got entered in the “new password” field. To get a new password, open the Bitwarden app or extension and select “Generator”. I recommend allowing all letters, numbers, and symbols, and making the password 20 characters long. It will be impossible to remember, but who cares? Bitwarden will remember it for you! And it should be plenty secure. After the first time, it should remember your password settings. Then you can just click the “copy” button next to the generated password and paste it into the “new password” field.
Usually, when you set or update a password, Bitwarden will ask if you want to save/update it. Select yes! If the popup doesn’t appear though, then open Bitwarden again and click the “view” icon for your credential, then “Edit”, then paste in your new password over the old one. You can also edit notes here as well, which is a great places to store the answers to security questions (which should basically just be extra passwords!). Yeah, it might be a good idea to replace your security questions while you’re at it.
FAQ
Why can’t I just keep using LastPass?
LastPass is not just “unlucky” for getting hacked; they actively implemented bad security practices, and it was only a matter of time until it caught up with them and their users. Switching to a more secure password manager (like Bitwarden) is the prudent choice. Switching only takes a few minutes, and it’s free! (unlike LastPass)
Most of the work you have to do here is changing out your old passwords, and you would need to do that anyway, even if you kept using LastPass. Might as well take the opportunity to move to a more secure password manager so that you don’t have to do it all over again when LastPass goes through another hack!
What if my new password manager gets hacked too?
That’s possible, but the chances are low. Bitwarden has a better track record at security and transparency than LastPass does, and even if they do get hacked, the consequences are likely to be less severe.
Besides, the alternatives are all worse:
- Want to just use the same password for every site?
- Bad idea! If you use the same password across all sites, then hackers who break into any of those sites get your password for every site. What happens if Netflix gets hacked? Wouldn’t it suck to have all of your money stolen because your bank password was the same as your Netflix password?
- Want to generate different passwords for every site, but still try to remember them?
- That’s really hard to do if they’re all long, secure ones!
- Want to just write all your passwords down?
- Actually… let me just do a whole subsection on that:
What if I don’t want a password manager any more? Can I just write down my passwords?
You may worry that if you just switch to another password manager, it might just get hacked too. Why not go old school and write down your passwords? Well, there’s tradeoffs to be made.
If you write down your passwords, it’s actually VERY secure against hackers. After all, they can’t hack paper. But then, of course, you get different problems:
- What happens if someone breaks into your house and steals your notebook?
- What happens if you lose the notebook or it gets destroyed?
- What happens when you get fed up with with manually searching the notebook and manually entering all of your passwords? You might get tempted to start reusing passwords, or start using weaker ones that you can remember…
Password managers solve these problems. They’re secured with a master password in case of theft, they are in the cloud and can be easily backed up to prevent loss, and they are way easier to use than a notebook, at least if you have lots of passwords!
But if you are really truly resistant to the idea of using a password manager, and writing down your passwords is the only way you can use secure ones… then go for it. You’re more likely to get hacked due to a bad password than you are to get burglarized. Just… try to be subtle about it, ok? At least hide your password notebook somewhere. Here are some good ideas for hiding spots.
The Readyist 
One thought on “What to do if you’re affected by the LastPass hack”