LastPass Security Incident – Actions to Take

Update 3/1/2023: LastPass provided more technical details about the incident and more recommendations to take, see more information below.

LastPass, the provider of a password manager & vault security product used by some at UCI, experienced a cybersecurity incident in August of this year.  At that time, they reported no impact to customer information and no impact to customer password vaults.  

Yesterday, LastPass unexpectedly announced that customer information (company names, end-user names, billing addresses, email addresses, telephone numbers, and the IP addresses) and encrypted password vaults were stolen.

Risks

• We don’t know if a subset or all of their customers are affected, but we are assuming the worst case scenario.
• While the stolen password vaults are encrypted with each user’s master password, there is a possibility the master password could be cracked and decrypted over time via brute-force methods, with master passwords that are shorter in length being more vulnerable.
• Since the threat actor has an offline copy of the encrypted vault, UCI multi-factor authentication would not protect against such brute-force cracking.
• LastPass also revealed that the website URL is not encrypted within the vault, only the username, password, and notes fields are.
• Since the threat actor also obtained customer names and email addresses, there is increased risk of them sending phishing messages to trick you into giving them your master password.

Actions to Take

• A strong master password (see password strength resources below) should make it very difficult and take a very long time to crack any stolen encrypted vault, however practicing due diligence is always a good idea.
• Whether you use a personal LastPass account, or the UCI-provided LastPass Enterprise account, we recommend you change your LastPass master password to a new unique value that is at least 12 characters long, the longer the better.
• Never provide your master password (or any password) to anyone, if anyone asks you for it contact OIT Security immediately.
• We recommend changing any high value passwords stored within LastPass within a reasonable timeframe and enable multi-factor authentication on them where possible as well.
• If you had a weak master password and also stored any personally identifiable information in a LastPass Secure Note, you may also want to consider these identity theft protection tips.

More Information

• https://blog.lastpass.com/2022/12/notice-of-recent-security-incident/
• https://blog.lastpass.com/2023/03/security-incident-update-recommended-actions/

Password Strength Resources

• https://www.hivesystems.io/blog/are-your-passwords-in-the-green (see PBKDF2 section)
• https://bitwarden.com/password-strength/
• https://haveibeenpwned.com/Passwords