How to delete your LastPass account

Thanks. I've printed out the instructions should I decide to backup, then delete my LastPass data and account.

For now, I'm sticking with the free LastPass account, although I have changed and strengthened my Master Password.

The other things that I do as a Line 2 and 3 of defense are to have alerts set with my financial accounts and credit cards, and also to use 2FA with all accounts that offer them, as annoying as they can be if my cell phone is turned off or being recharged in another room.

My guess is that if the hackers have your vault info, what's the point of deleting the vault now? It's kind of like closing the barn door after the horses have run out.

And I seriously doubt that if you delete your vault that the company really deletes it from all their backups, etc. so it's still "out there".

is LastPass has been hacked, and the contents of the vault are never available, and, LastPass does not have the contents of the vault.

I could be wrong, but that's my understanding.

How many times has amazon, bank of america, etc. etc. been compromised? But it's not the same such as in 2000, when a kid in our marketing department literally downloaded 500k+ people's SS and DOB onto a USB drive, and lost it at a conference. Those days are long gone.

Another analogy that may or may not be similar. If my home has been broken into 3X, in order to prevent theft, I'll incinerate the entire contents as a precaution lol

Most people who have firearms have it inside of a safe, so that fire, thieves, etc.,, can't get them.

There are a lot of phishing and smishing going on and sometimes we need to stop and evaluate things for ourselves.

The co. doesn't have this information themselves, meaning, you can't ask LastPass to send you a copy of what's in your vault. They don't know. Just as you can't call your IT Admin to email your password to you, they don't know it. They can delete your account, or they can reset your password, but that's it by design.

Without your LastPass Master Password (the encryption/decryption key, which doesn't leave the device you're using, thus not available anywhere else), only those with a weak Master Password really need to worry. If you fear yours is vulnerable to being cracked, by all means, go revise your Master Password ASAP, then all stored passwords for every site, starting with those high value targets related to finances and PII (Personally Identifiable Information).

The 2nd important step is to open your LastPass Vault via a web browser so you can access your Options Menu. Under General Options, scroll down to (or select) Advanced Options, where you're looking to raise the Number of Iterations from earlier defaults of 500 or 100100, to something significantly higher (310000 was a recently recommended value from a knowledgeable source). Follow subsequent instructions, which need only a short time to complete and expect to log back in when prompted.

it is all about following directions, isn't it? If u set it up properly u have a lot less worry.

See https://www.cybersecuritydive.com/news/lastpass-breach-high-...

See https://www.usatoday.com/story/tech/2023/01/19/password-mana....

Interesting point that prior to 2018 many people may have had a very short and somewhat insecure master password and that password carried over to the newer versions of LastPass. Those vaults may be relatively easy to crack.

In case anyone is interested in an article on the LastPass issue that provides a good discussion of the subject, and personal recommendations for action(s), I suggest going to:

https://askleo.com/lastpass-breach-2022-my-recommendation/

The author is a professional programmer who has been using LastPass himself for years. He has a mailing-list blog and a web site (AskLeo.Com) that covers a wide variety of computer-related subjects. I have found his articles very useful for some time.

FWIW, Leo is a Microsoft Alumni who focuses on Windows machines, but he also does a monthly podcast in partnership with the operator of MacMost.Com, who specializes in Apple subjects. I do not have a Mac, but I do have an iPhone and an iPad, and I have found MacMost.Com to be a really, really useful source of info and tips for those devices.

So AskLeo has been directly and indirectly beneficial for me in multiple areas.

- Tom -

It seems that a significant amount of user metadata wasn't encrypted. About the only thing missing is your mother's maiden name. Significantly; they got an unencrypted list of all of your websites stored in the vault, making phishing significantly easier.

From https://blog.lastpass.com/2022/12/notice-of-recent-security-... "...the threat actor copied information from backup that contained basic customer account information and related metadata including company names, end-user names, billing addresses, email addresses, telephone numbers, and the IP addresses from which customers were accessing the LastPass service.  

The threat actor was also able to copy a backup of customer vault data from the encrypted storage container which is stored in a proprietary binary format that contains both unencrypted data, such as website URLs, as well as fully-encrypted sensitive fields such as website usernames and passwords, secure notes, and form-filled data..."
Mark

Good info., was not aware of this. Hopefully Keepass is/stays secure.

Keepass is a great password manager for folks with just one device or for folks with multiple devices willing to have Keepass on a USB stick. I just added it to my PC as a backup to bitwarden and really liked its ability to import my old LastPass vault. The Keepass vault is not in the cloud which is a plus from a security standpoint but a minus if using it on multiple devices unless kept on a USB stick. At least, that's my current understanding of the issues involved.

Since I want my manager available on more than one device, I use the free version of bitwarden as my login aid to websites.

Both the Keepass and bitwarden are recent additions after a strenuous effort in upgrading/strengthening individual passwords from LastPass and removing old logins no longer needed, then dropping my LastPass account.

Largely due to so many years as an early user, I was reluctant to choose whether to switch, but now that I've found familiar technical resources which I trust, I've moved over to the camp of former LastPass users. In addition to those which others have linked in this thread, I'll contribute this somewhat lengthy, technical Security Now podcast with well explained shortcomings by Steve Gibson about the product's current management.

https://youtu.be/fTtUhluQiIk

I'm ready to accept that LastPass has become like so many other once Best in Class products (remember Norton Utilities?) who were subsequently acquired by bigger companies with the bulk of further development devoted to modifying the app's viability as a cash cow.

A good question for current (and continuing) LastPass users to ask themselves is "What happens once such ownership drives the product to the point of being unprofitable and it's servers all shut down?"

If you haven’t already gotten rid of LastPass, consider doing so now. See https://krebsonsecurity.com/2023/09/experts-fear-crooks-are-...

Now, not surprisingly, it's not just people storing crypto keys in their LastPass accounts who are being attacked and victimized. Criminals are actively exploiting contact information and sending out new and very official looking emails that are not really from LastPass but can lead to compromise of all password accounts.

If there's anyone here still subscribing to LastPass, please read and, as PCMagazine says: Pay Attention. Still consider that it's really time to bail on LastPass:
https://www.pcmag.com/news/pay-attention-hackers-are-targeti...