[sunnyba]

Is there a simple way to download the portion of the data that was breached for just our own account?

I've switched providers and deleted my LastPass account after this last breach but getting to see that would make it a lot easier to understand risks.

[BXlnt2EachOther]

Unfortunately I think you might have some work to do: it might be a good idea to change all your passwords stored in LastPass up until last year, and I'd suggest changing passwords for high-value and financial sites ASAP. I still have low-priority sites to migrate myself, this article is a nice reminder.

Anyone please correct me if there have been updates here:

In August-October 2022, attackers obtained, among other things, backup files containing LastPass users' vaults. I don't think the company mentioned what timeframe the backups covered, or whether this contained vaults from users who already deleted their accounts.

A vault file contains both plaintext and encrypted information. The Secure Notes function which might be used for, say, crypto seed phrases, was encrypted. Passwords are encrypted. However the URLs for those passwords are in plaintext, possibly along with last-access time. Someone with your vault can see what sites you have passwords for, before even trying to crack the password. Not great for anyone but especially for high-value targets or for those who are in politically-hostile environments.

Since attackers took the files from the source, it does not matter whether you had 2FA (edit: 2FA on LastPass that is. 2FA, with secret outside of LastPass, for sites in your vault is very beneficial here!). They can throw a bunch of GPUs at cracking our master passwords offline. There's nothing we can do; the horses have left the barn or rather were abducted by UFO.

One other thing that affects mostly older accounts is that while modern best practice is to use 600k+ password hash iterations, some users had far smaller numbers, like 5000, or 500, or 100. Or even 1. Not joking. LastPass could have upgraded users on login for years--I believe they do now, but that has no benefit to the compromised data.

[1] is an article on what might have happened: engineer with high-level credentials logged on from a home machine that was compromised from an old version of maybe-Plex (which fixed the relevant vulnerability long before). And of course the company had security practices that allow engineers to access the kit and caboodle of user vaults from their home machines, even if indirectly. In the end it seems this was caught due to Amazon's automated warnings around certain IAM change actions.

ETA: I do appreciate the difficulty of guarding high-value data against determined adversaries. I also wish LastPass would have been more forthcoming as to the details here; to my knowledge they haven't provided exact details on what was taken, or suggested users change passwords in vaults as of October of last year. Is this still correct?

[1] https://arstechnica.com/information-technology/2023/02/lastp...