π¨ PSA: If you're migrating away from @LastPass due to their security breach, don't do this, i.e., delete items from your vault and keep your account around. theverge.com/2022/12/28/23529547/lastpass-vault-breach-disclosure-encryption-cybersecurity-rebuttal?commentID=fdda8faa-b276-4244-9dcd-292fcded4456
This does NOT guarantee that it will be deleted! π (And what you SHOULD do instead π§΅)
LastPass can *only* update your vault when you're logged in to one of their apps.
When you "delete" something in LastPass, it gets moved to a deleted items folder and kept there for 30 days. (This is actually pretty common in most password managers.)
This is designed to prevent credentials/passwords from being lost if they get deleted accidentally, so it's generally a good idea.
*If* your LastPass client remains logged in for the next 30 days, on the 31st day it *actually* deletes these entries and re-uploads a new vault.
However...if your LastPass app gets logged out due to inactivity, or if you explicitly log out because you no longer want it, guess what: LastPass *only* has the vault *with* the credentials in the "deleted" state.
It cannot modify or make changes, including deletion. π³
In this particular example, LastPass's security model worked *exactly* the way itβs supposed to: any changes to the vault only happen when itβs decrypted.
This can seem counter-intuitive since for *most* other services, a deletion request is (eventually) carried out when asked.
Hereβs the kicker: if the person in this example had *actually* deleted their account, rather than keeping it around, the account + the entire vault (along with the deleted/trash folder) would have been deleted.
Keeping the account active is what kept the vault alive.
π§ So what *should* you do instead, if you're moving away from LastPass?
- If you want to keep your LastPass account active, but with no contents in it, delete your vault's contents AND also go to Advanced Options > View Deleted Items, then choose Permanently Delete All
- If you *don't* plan ever on using LastPass going forward, do the above and then ALSO request an account deletion support.lastpass.com/help/delete-your-lastpass-account-lp010012
I recommend BOTH steps and not just skipping to account deletion because asking for your account doesn't always mean it's honoured.
Case in point... π€¦π½ββοΈππ½ twitter.com/troyhunt/status/1610008559600930817?s=20
Ankur Banerjee π
@ankurb
CTO/cofounder @cheqd_io & @creds_xyz. Co-chair of Technical SteerCo @DecentralizedID. Ex @FinTechLabLDN, @inside_r3, @Accenture, @StackTravel.