Prior LastPass secure notes at risk?

KJIsaacson
KJIsaacson
Community Member

I migrated from LastPass and am in the process of changing all of my passwords. However, I also had numerous secure notes. Those notes migrated to 1Password. But are they secure here? If my master password at LastPass was hacked, it would seem that the secure notes over there are at risk. But now here at 1PASSWORD, I can't "change" them, as the info stays the same. E.g., a note that has a bank account routing number can't be changed like a password can.

Comments

  • Hello @KJIsaacson! 👋

    You're correct that, if your LastPass vault was exfiltrated and breached, then the notes that you had stored in LastPass would be exposed. Moving your items to 1Password creates a copy of them that 1Password will then keep secure. However the original copy is still in your exfiltrated LastPass vault.

    I suggest reaching out to your bank, and any other relevant parties, for advice on what you should do regarding the information in your notes.

    Let me know if you have any questions. 🙂

    -Dave

  • Tertius3
    Tertius3
    Community Member
    edited January 2023

    A bank account routing number for a bank is like a street number for some home address. You cannot ask the person to change its street number, and you cannot ask the bank to change its routing number. It's just his property. The worst thing with this kind of breaches is all the data that cannot change. Because of this, identity theft is so evil. You just cannot change your name and your birthdate. You cannot escape from your breached data, because it is a permanent property of you.

  • KJIsaacson
    KJIsaacson
    Community Member
    edited January 2023

    As I suspected. With respect to the LastPass breach, do you know whether the wrongdoer(s) actually downloaded a copy of the vault contents, such that changing the master password in addition to deleting the vault contents offers protection?

    With respect to bank accounts, seems to me the "simplest" would be to open new accounts, even at the same bank. The routing number would, of course, stay the same, but the account number would be changed.

    Thanks.
    Ken

  • Tertius3
    Tertius3
    Community Member

    I am just some user, so take my info with some grain. This is what I learnt about the Lastpass breach. An encrypted backup of the cloud stored vault data was stolen. The encryption keys to the backup were stolen as well, so it is possible to decrypt the backup.

    The Lastpass vaults themselves are a mix of encrypted and unencrypted data. All metadata is unencrypted. Everything else seems unencrypted as well, except "website usernames and passwords, secure notes, and form-filled data" according to https://blog.lastpass.com/2022/12/notice-of-recent-security-incident/. The encrypted parts are secured by the Lastpass account password.

    In contrast to that claim, the encrypted fields are actually only this, according to what Wladimir Palant, a security researcher writes in https://palant.info/2022/12/24/what-data-does-lastpass-encrypt/:

    As you can see here, the encrypted fields are name, username (duplicated as u), p (password) and extra (password notes).

    Everything else is not encrypted.

    So everything except the mentioned fields are completely open and compromised.
    The encrypted fields stay secure and private according to the strength of your then Lastpass account password. If your "Secure Notes" are stored as extra (password notes), they are encrypted, otherwise probably not.

This discussion has been closed.