Recent news of a LastPass security incident (see https://blog.lastpass.com/2022/12/notice-of-recent-security-incident/) and the notification email sent by LastPass may generate concern by Auburn users.
On December 22nd, LastPass notified its customers that an unauthorized third party had obtained a copy of the encrypted customer password vaults.
LastPass has said that the breach exposed unencrypted customer data (email addresses, website URLs, etc) and encrypted data (usernames and passwords). Based on what has been reported, there is probably no cause for immediate alarm assuming you have used a strong master password. The master password only exists on your computer or mobile device that uses LastPass and is never sent to LastPass.
The actual risk to you depends on several factors:
- The strength of your master password
- The attacker’s resources to crack or guess your password
- The attacker’s reason to attack your password specifically
- The potential damage of a compromise of your individual site passwords (financial sites, email, etc)
- The time that has passed since the breach – the more time the attacker has to guess the master password, the more likely they are to succeed.
What should I do?
There are a handful of simple actions you can take now to mitigate any potential risk from the LastPass breach.
- Change your master password to a long and unique password or passphrase. This will stop any attempts to login to your LastPass account in the future if your current password does become compromised.
- Verify you have multi-factor authentication setup both on LastPass and on all critical sites (financial, email, social media, etc.).
- Check your security score in LastPass and follow recommendations to change duplicate passwords, short passwords, and any passwords reported in other breaches.
- Also consider generating new passwords for critical sites on an annual basis (the password manager eases the burden of doing this).
- Be aware of phishing attempts targeting you (spearphishing) based on the secondary data that was exposed (your email and the sites you saved passwords for).
- Review the LastPass recommendations linked below.