LastPass confirmed more details tied to their recent November breach. It was disclosed that hackers stole company data and accessed customer information (names, email, usernames/passwords, billing address, etc.). Fortunately, anyone with a University subscription to LastPass have only had their name and email leaked– the University has notified these users providing immediate actions to take. However, if you use the password management tool on a personal account, the risk of sensitive data loss is more significant.
Since most of the usernames and passwords stolen are encrypted by a user’s master password (not stored on LastPass’ servers) it’s proving difficult to expose. However, the threat that hackers will try to decrypt or use brute force to decipher LastPass logins, continues. University IT and ISD would like the UR community to know they are heavily evaluating the University’s relationship with LastPass in light of these recent issues and offer some guidance on how you can stay ahead of the breach.
What you should do
- Change your LastPass master password to a new, unique password or passphrase.
- This should be different than your UR or URMC Active Directory password/phrase.
Review and change passwords for other sites and services you have stored in LastPass.
- Begin with more critical and widely used credentials (email, bank account, social media)
- LastPass is protected with two-factor-authentication. If you receive an authentication request via text, phone call, email that you did not initiate- DO NOT APPROVE! Instead, contact your Help Desk immediately.
- Be on the lookout for any suspicious emails requesting personal information.
- There is a good chance these bad actors will resort to phishing and use your personal information obtained through the breach to trick you into clicking links or providing additional personal details they were not able to originally gather.
- Read more about the breach in CNET’s article, “LastPass Says November Breach Exposed Basic Personal Data”
- LastPass support
- Tips to creating a strong password or passphrase
Help Desk Contact Information
University IT Help Desk
- (585) 275-2000
ISD Help Desk
- (585) 275-3200