Help! I think my Lastpass account has been compromised!
If you're concerned that your LastPass account may have been compromised but still have access to your account, please log in to LastPass and do the following immediately:
- Kill all other active sessions – In your web browser toolbar, go to LastPass icon > More Options > Advanced Tools > Other Sessions > Kill all but current session. Learn more.
- Review your account history – In your web browser toolbar, go to LastPass icon > Open my Vault > More Options > Advanced > History. Make note of any suspicious activity. Learn more.
- Ensure your account is restricted to only trusted devices – In your web browser toolbar, go to LastPass icon > Open my Vault > Account Settings > Mobile Devices. Remove any unknown or stolen devices from this list. Learn more.
- Ensure your account is restricted to only trusted locations – In your web browser toolbar, go to LastPass icon > Open my Vault > Account Settings > Show Advanced Settings. In the "Security" section for Country Restriction, check the box to enable the "Only allow login from selected countries" option, then check the boxes of all countries from which you want to approve LastPass access. Click Update when finished. Learn more.
- Update your Master Password – In your web browser toolbar, go to LastPass icon > Open my Vault > Account Settings > Change Master Password. Learn more.
- Update your LastPass account addresses – If your email address has also been compromised, it is recommended that you update your LastPass account email address using a different email address than what was listed for your account and your security email address (if you had set one up prior to being compromised).
Note: Tracking login and Form Fill history is enabled for all LastPass accounts by default.
If you have lost access to your LastPass account, do the following:
- Revert your Master Password – Navigate to https://lastpass.com/revert, enter your email address, then click Send Email. Learn more.
- If you are unable to revert your Master Password, it is recommended that you delete your LastPass account.
It is highly recommended that you begin changing your passwords for sensitive accounts (e.g., banking, email, social media, etc.) by generating secure passwords.
The following are best practices to protect yourself from compromising attacks in the future:
- Run antivirus, anti-malware, and security suites to scan your computer and remove all suspicious files.
- Enable Multifactor Authentication for an additional layer of security.
- Consider enabling credit monitoring alerts so that you are notified if there is suspicious activity on your credit report.
- Export your passwords and Secure Notes periodically and store them safely.
- Run the LastPass Security Challenge often to check for weak, duplicate, old, or compromised passwords.
- Protect your LastPass account data by requiring a re-prompt for your Master Password.