LastPass Security Incident Notifications

LastPass is the preferred password manager recommended by Harvard University Information Security. If you use LastPass, you may have received a security notification regarding a security incident disclosed on Monday June 15th that involves LastPass servers.

What happened?

Cyber criminals illegally accessed LastPass servers and stole the following information:

·       Email Addresses

·       Password Reminders

·       Server side salts and authentication hashes (Pieces of the encryption process)

An investigation after the incident revealed that the theft was limited, and did not include the following pieces of information:

·       Passwords

·       Notes

·       Form Fill data

·       Usernames

Note: The security design of LastPass would make a large-scale breach of this type of data highly unlikely.

What’s at risk for LastPass users?

The process and algorithms LastPass uses are very strong. There is low risk of anyone “cracking” a strong master password. However, a reminder hint for a forgotten password could disclose it. (e.g. If your hint was “The capital of Louisiana” and you used BatonRouge as your password). Weak passwords, such as “password1!” or “redsox4”, are easily guessed and make them a security concern under these or any conditions.

LastPass will be sending email messages to all registered users to encourage them to change their master password as a cautionary measure. If LastPass detects login attempts from devices or locations that have not been used in past to access a particular account, they will send a message to the account email address requiring verification before allowing access. Those who already have two-step verification enabled will continue to log normally via that process.

What should I do?

 

For users who are already following good security habits, there is no need to worry. While a strong master password and 2-step verification should prevent any personal data loss, we recommend users follow the guidance from LastPass and reset their master passwords. 

1.     Use Strong Passwords

·       Log in to LastPass and change your master password. This can be done through the application, browser plug-in, or by visiting www.lastpass.com.  Make sure to create a long, unique password that cannot be guessed. 

·       If you have used your old master password with any other site or service, change it to something unique.

·       Turn on 2-step verification for LastPass. If you turn on this security feature, a stolen password won't become a stolen account. Learn more here, https://helpdesk.lastpass.com/multifactor-authentication-options/#Multif....

2.     Click Wisely

·       Though email accounts were not accessed, the addresses were disclosed.  As a result, you may see some targeted phishing related to LastPass. Do not follow links in email to LastPass. Instead, visit the site directly at www.lastpass.com.

 

Where can I get more information?

LastPass is providing more detail and updates within the blog section of their website.
(https://blog.lastpass.com/2015/06/lastpass-security-notice.html/)

If you have questions you would like answered directly, contact Harvard University Information Security via the help desk. 

 

See also: Security Alerts