On December 22nd, 2022, LastPass notified their customer base of a cybersecurity incident that put customer data and passwords at risk. This incident occurred in November of 2022.
Bad actors could potentially possess encrypted user data that includes “usernames, passwords, secure notes, and form-filled data,” according to LastPass. While in possession of this data, the bad actor cannot unencrypt it without the “Master Password.” LastPass does not store or maintain this password.
What does this mean?
LastPass users, if you do not currently have a strong master password, there is a chance your account has already been compromised or could be compromised.
Is your password strong?
A strong password includes a combination of these characteristics:
- 12+ random characters, including a combination of letters, numbers, and special characters
- A passphrase (a combination of five+ random words strung together to make a long password)
A strong password will also be entirely original and specific to the LastPass website. Recycled passwords are susceptible to attack.
If your master password is not strong, we suggest you change it immediately and consider the following recommendations:
- Determine the information stored in your LastPass vault. Change the password for critical accounts stored in the vault (financial information, WUSTL Key password, or any other website storing private or sensitive information).
- As a best practice, turn on two-factor authentication for all websites that offer the option, especially the critical sites identified above. Fortunately, two-factor authentication already protects WashU accounts.
- If you are prompted with a two-factor authentication notification and did not initiate it, reject it immediately and change the password for the compromised account.
- Keep a lookout for phishing attempts from bad actors attempting to steal your master password. According to LastPass’s report, “LastPass will never call, email, or text you to click on a link to verify your personal information.”
If you have many passwords within your vault, change the most critical passwords first. Hackers will target anything they can use for financial gain or any personal information they could use or sell.
What is next?
LastPass users should be aware of any unusual activity on accounts stored in the password vault.
A password vault such as LastPass is generally very secure. Provided you take the necessary steps to remediate this security incident, your future passwords should be safe in the vault.
If you suspect any of your accounts have been compromised and need assistance, please contact the Office of Information Security by emailing infosec@wustl.edu.