In August of 2022, LastPass suffered a security incident, which Information Systems and Technology (IS&T) has been monitoring. LastPass continues to investigate, and in late December 2022 reported that the attackers were able to download a backup of customer vault data that contains both unencrypted data, such as website URLs, as well as fully-encrypted sensitive fields such as website usernames and passwords, secure notes, and form-filled data.
New as of March 1, 2023: LastPass has posted a new update on this incident with revised recommended actions. Note that the recommended password iteration setting below has been revised. Previously, LastPass recommended a minimum setting of 310000; the new recommendation is a minimum setting of 600000.
While passwords remain encrypted, the attackers may use the unencrypted data to target LastPass users with phishing attacks, credential stuffing, or other brute force attacks against online accounts associated with your LastPass vault.
The threat actor may attempt to use brute force to guess your master password and decrypt the copies of vault data they took. If your master password meets best practices, LastPass does not recommend further action. If your LastPass master password does not comply with LastPass best practices, you will want to change your master password and all the passwords in your LastPass vault. We have sent emails to all active MIT LastPass users with recommended actions based on the strength score of their LastPass master password and Password Iteration settings. If we determine you owned a shared folder that was shared with a user with weak password settings, you may receive two emails with recommendations.
Changing your master password and all the passwords in your LastPass vault if you have a weak master password or a Password Iteration setting less than LastPass’s recommended 100,100.
- If you have a strong password (over 12 characters, including numbers and special characters) AND your password iteration setting is 100100 or higher, LastPass is not recommending that you change the passwords in your LastPass vault, although you may wish to do so out of an abundance of caution.
- Changing your password iteration setting to at least 310,000 (the number recommended by the Open Web Application Security Project (OWASP) for PBKDF2-HMAC-SHA256). Unfortunately, we are unable to change this setting for you; see the instructions on the LastPass website
- Changing your master password if you have not changed it within the past year.
- Ensuring Duo is enabled for your LastPass account
- We only have data for MIT LastPass accounts. If you have a personal LastPass account, you may want to review your master password strength, password iteration settings, and consider resetting passwords.
For details and updates on this incident, visit the LastPass blog.
As a reminder, MIT's Information Protection website provides access to policies and guidance on safeguarding information at the Institute. If you believe a breach of MIT information has occurred, immediately report the IT security incident by sending email to firstname.lastname@example.org.
Does changing my master password or number of iterations do anything to lessen the value of the stolen vault?
No. Changing your master password or password iteration settings will not protect the stolen vaults. This will only help protect your vault in the future.
Is MIT one of the 3% of LastPass customers mentioned on their blog?
The email notification said my master password had a score of 0, should I change all the passwords in my vault?
If your master password has a score of 0, LastPass did not have a score for your master password.
Is my master password score the same as my LastPass security score?
No, the security score rates the strength of the passwords in your vault, the master password score we are using is only for your LastPass master password.
Can I review my master password score?
Unfortunately, it is only visible to LastPass administrators. If you would like to check the strength of a password, there are many services that do this. We would recommend not sending your exact password but something similar.
Does multi-factor authentication (MFA) protect me from this incident?
Now that the attacker has a copy of the encrypted vault, they are able to attempt to brute force your LastPass master password at their leisure. MFA on your LastPass account would help protect any new passwords in your vault, assuming your master password were compromised. MFA on the accounts relating to passwords stored in your vault would help protect those accounts, assuming your master password were compromised.
Is MIT considering offering a different password manager?
We will continue to evaluate options to determine which product or products best serve the Institute’s needs.
Should I delete my LastPass account?
Unfortunately, that will not protect you from this data incident.
This story was originally published on December 23, 2022, and has been updated.