Guidance on the LastPass security breach announcement.of Dec 22, 2022

Information proviced by Penn OIS (Office of Information Security) on Friday, Dec 23, 2022:

 

LastPass, the password manager licensed by Penn, had previously notified Penn and individual users of the product that LastPass is investigating a security incident involving unauthorized access to LastPass systems.

Yesterday evening, an update from LastPass was released. LastPass is now reporting that the malicious actor may have had access to some plaintext information such as users’ login email addresses. They also believe that users’ encrypted password data may have been accessed, but that, due to their zero knowledge infrastructure, that data cannot be decrypted without access to users’ master password and second-factor authentication, if enabled.

Based on the information we have now, we recommend all the following:

• Be sure that your master password is strong, and not easily able to be guessed.
• For guidance on setting a strong password, see the “Set Strong Passwords” snippet found here: https://www.isc.upenn.edu/security/aware/desktop 
• Be sure that your master password is not repeated or reused by any other accounts that you have.
• If your master password has been reused elsewhere, it should be updated to a unique password and LastPass’s password change tools should be used to update the passwords stored by LastPass.
• The risk is that the malicious actors may have access to other breaches from sources outside of LastPass. If your password from another service has been leaked, and your LastPass master password is identical, malicious actors may be able to tie the two together.
• Be sure that you have two-factor authentication enabled.
• Because your email address and the sites LastPass stores passwords for (but not the passwords themselves) have been accessed, there is an increased risk of phishing attacks that impersonate LastPass or otherwise target LastPass users. Please remain alert for these types of attacks.

A full update from LastPass can be found at this blog post :

If you have questions or concerns, please contact your LSP.