IT Professionals,
In December, the popular password manager LastPass announced that they had a serious data breach. In August 2022, an unauthorized third party gained access to a cloud-based storage service containing archived backups of production data, including an unknown number of passphrase vaults. Although the passphrases in the vaults are encrypted, threat actors can brute force vaults they downloaded, even after you change your master passphrase.
The University Information Security Office (UISO) recommends the following actions if you use LastPass to store passwords, or other critical information:
- Make sure your LastPass software is up to date and set a new vault master passphrase. The new passphrase should be at least four words or 20 characters long, whichever is longer.
- Assess the risk of credentials stored in the vault. Prioritize changing those with the greatest risk (API Keys, logins without multi-factor authentication, credentials used to access resources that are highly valuable to the institution). Change any stored IU passwords immediately.
- Plan a transition to another passphrase manager. The security community consensus is that LastPass may be downplaying the potential risk of this exposure, and several of their security practices seem inadequate to mediate this kind of risk. We recommend users and teams move away from LastPass in favor of 1Password, Bitwarden, or other password managers.
Additionally, LastPass has also been removed from the Conditional Allow List and placed on the Not Allowed for Purchase list as part of the Software and Services Selection Process (SSSP). New and renewed purchases will no longer be approved.
If you have any questions, please contact UISO, uiso@iu.edu.
–IT Community Partnerships on behalf of the University Information Security Office