If you use LastPass, attackers likely have a copy of your vault and all your passwords.

Changing your master password now won’t help, as they already have a copy that can be unlocked with your old password.

Background:
LastPass, a well-known password manager, was recently hacked, and all the passwords stored by the service were stolen. The hackers managed to obtain a backup copy of the service’s customer data, which included sensitive data and, of course, the passwords, even though they were encrypted. On December 22nd, LastPass announced on their official blog that an unauthorized access had taken place: the hackers managed to obtain a backup containing “both unencrypted data like website URLs and all sensitive encrypted data such as usernames, passwords, security hints, and form autofill data.”

What to do?

1.) Stop using LastPass.
We don’t know how bad the situation is. It’s possible that attackers still have access. So don’t just change your passwords and save them again in LastPass. We’ll manually address the urgent accounts first and then set up a new password manager.

2.) If you have virtual assets and stored seed phrases in your LastPass, you must immediately take care of this.
Create new wallets, write the seed phrases ONLY on paper, and transfer all your assets to the new wallets.
Don’t waste time finding a perfect custody solution, because that’s time you don’t have. If the attacker has access to your seed phrases, he can steal your assets at any time, and you can’t undo it. First protect your assets and think about long-term storage later.

3.) Change your passwords for exchanges and other financial products.
Write down your passwords on paper for now. Use a different password for each exchange.

Enable 2FA and make sure the 2FA code is not stored in LastPass. If it is, remove 2FA and set it up in another app.

4.) Change the passwords for your email accounts.
Anyone who has access to your emails can access your other accounts through “forgot password” mechanisms, so make sure your emails are secure. Unique password per service, write it down on paper, use 2FA that was not stored on LastPass.

5.) Also change the passwords and 2FA of your Apple iCloud and Google accounts.
These accounts can probably access the data on your iPhone/Android through backups and cloud synchronizations and potentially lock you out, so change them as soon as possible.

6.) You have now protected your most important data. Set up a new password manager.
Consider 1Password/Bitwarden/Keepass. Our favorite is Keepass. We have also published a video on this.

Set one up with a new, strong master password. Store your new passwords in this manager. No seed phrases! These are too critical for an online password manager.

7.) Now that you have a new password manager, use it to change the passwords of all your non-critical accounts.
Yes, all.
You probably have many, so prioritize the most important ones. Work accounts, file/photo storage, social media.

8.) We recently released the “Passwordless” video. Be sure to watch it, as this (USB security tokens) helps prevent something like this from happening again.