Rotating Your Passwords After a Password Manager Breach

It’s been nearly a year since Lastpass was breached and users’ encrypted vaults were stolen. 

I had already migrated to a different password manager for all my existing and new accounts, but I had been putting off rotating passwords for existing accounts. I was like the child who plugs his ears while chanting, “La, la, la, I can’t hear you. I have a long master password,” while his parents try to provide wisdom. I know I’m not alone in this either. 

Recently, there’s even been evidence that attackers have cracked users’ vaults and begun stealing cryptocurrency from the victims. This was the final push I needed to unplug my ears and take action. 

If you’re anything like me, you have hundreds of accounts accumulated over time. Whenever I looked at the pile of accounts and secrets in my stolen vault, I became discouraged by the seemingly insurmountable task of logging into each site and changing the password. What I realized was that it wasn’t all or nothing; not all these dusty old accounts were of the same value to me (or an attacker). I decided to make a prioritized list for me to work through. This turned out to be a much more fruitful exercise than just hoping the problem would go away. 

I decided I would share my thought process and my prioritization list for anyone else who might find it useful. Hopefully, this post can be a gentle nudge to shore up your own personal security. 

General Considerations 

  • This applies even if you haven’t migrated from LastPass to another password manager. 
  • If you have a significant other, help them through this process as well. Not only because you care for them, but because a breach of their accounts could affect you as well. 
  • I have extreme dislike for “security” questions, also known as account recovery questions. I tend to pick nonsense answers that are untrue, but still plausible in case I ever have to use them with a real person. I store these questions and answers in my password manager. This means that I need to change these answers as well. 
  • Since I was logging into accounts anyway, I took the opportunity to evaluate any new 2FA capabilities and upgrade to a stronger mechanism where possible (none -> SMS -> TOTP -> Security Key). Some accounts are even starting to support Passkeys. 
  • Prioritize accounts with no existing 2FA enabled. But remember that your account is only as strong as its weakest link 

Prioritization Steps 

  1. Export a backup from your current password manager. You never know when this can come in handy. Store this in a secure place.
  2. Change email account passwords. Email is often used to recover passwords.
  3. Change cell provider password. Set a port out PIN if your carrier supports it. This will reduce the risk of a SIM swapping attack.
  4. Change all financial account passwords.
    • Prioritize from most money to least.
    • Investments, banking, credit cards
    • Cryptocurrency – If your seed phrase or wallet key was exposed, transfer your coin to a new wallet.
  5. Rotate any private keys that were exposed (e.g. SSH, GPG, TLS).
    • Prioritize ones without encryption or where the encryption password was also stored.
    • This is probably the biggest headache of all because it involves revoking key signatures and removing SSH keys from all systems where it was added.
  6. Other important accounts. Think of places where it would be detrimental for someone to impersonate you.
    • Identity providers – Places you see listed on the “sign in using another account” pages (e.g. Apple, Github, Facebook, Google, Microsoft).
    • Cloud infrastructure (e.g. Digital Ocean, AWS, Azure)
    • DNS Registrars (e.g. Cloudflare, GoDaddy, Namesilo)
    • Code repos (e.g. Github, Gitlab)
    • File backups (e.g. Dropbox, Backblaze)
    • Remote management (e.g. Teamviewer)
    • Shopping (e.g. Amazon)
    • Social media
  7. Finally, delete your LastPass account if you have migrated elsewhere. Of course, this won’t help protect anything already stolen, but it will help reduce your risk in the future by reducing your attack surface to only what you are actually using (whatever your current password manager is).

Ultimately, you get to decide how far down this list you want to go. 

Ready to learn more?

Level up your skills with affordable classes from Antisyphon!

Pay-What-You-Can Training

Available live/virtual and on-demand