• Skip to Content
  • Skip to Main Navigation
  • Skip to Search

Indiana University Indiana University IU

Open Search
  • Personal Preparedness
    • Email & phishing scams
    • Identity verification
    • IU passphrases
    • Hardware & software security
      • Laptop & mobile device security
      • Malware, scareware, & ransomware
      • Wearable technologies
      • Use of survey software
    • File sharing & copyright
      • Contesting copyright infringement notices
      • Disabling peer-to-peer file sharing
      • Copyright tutorial
      • Copyright infringement incident resolution
    • Vulnerability Disclosure Guidance
    • Keeping data safe
    • Web privacy
    • Account privileges
    • Remote Desktop
  • Information & IT Policies
    • Policy Hierarchy
    • Privacy policies & FAQ
    • Acceptable Use Agreement
    • Information & IT Policy Process
    • Cyber Risk Review
    • IT-12 Security Standards
  • Information Security & Privacy Program
    • Scope
    • Goals & Objectives
    • Governance
    • Principles
    • Safeguards
      • Risk assessment and treatment
      • Policy administration
      • Organization
      • Asset management
      • Human resources
      • Physical & environmental security
      • Communications & operations management
      • Identity & access control
      • Information systems acquisition, development, and maintenance
      • Incident management
      • Business continuity management
      • Compliance
    • Charter
  • Privacy Portal
    • Privacy matters
    • Sensitive data
      • Guidelines
    • Sharing institutional data with third parties
  • Resources for IT Staff
    • Information Risk Assessments
    • SecureMyResearch
    • Cloud computing
    • Audits & requirements
    • Data encryption
    • Back up data
    • Information security best practices
    • CIS Secure Suite
    • Disaster recovery planning
    • Managing employee data
    • Medical device security
    • Transferring data securely
    • Using SSH
    • Additional resources
      • Privacy Notice Generator
      • Incident Response Webservice
      • SSL/TLS certificates
  • About
    • Glossary of Terms
    • Trustees Resolution
  • Contact
  • Report an Incident
    • Report Privacy Incident or Request Assistance
    • Emergency IT Incidents
    • Managing Incidents
    • Identity Theft
    • Reporting Suspected Sensitive Data Exposures
    • Reporting Suspected HIPAA Data Exposures

Information Security & Policy

  • Home
  • Personal Preparedness
    • Email & phishing scams
    • Identity verification
    • IU passphrases
    • Hardware & software security
    • File sharing & copyright
    • Vulnerability Disclosure Guidance
    • Keeping data safe
    • Web privacy
    • Account privileges
    • Remote Desktop
  • Information & IT Policies
    • Policy Hierarchy
    • Privacy policies & FAQ
    • Acceptable Use Agreement
    • Information & IT Policy Process
    • Cyber Risk Review
    • IT-12 Security Standards
  • Information Security & Privacy Program
    • Scope
    • Goals & Objectives
    • Governance
    • Principles
    • Safeguards
    • Charter
  • Privacy Portal
    • Privacy matters
    • Sensitive data
    • Sharing institutional data with third parties
  • Resources for IT Staff
    • Information Risk Assessments
    • SecureMyResearch
    • Cloud computing
    • Audits & requirements
    • Data encryption
    • Back up data
    • Information security best practices
    • CIS Secure Suite
    • Disaster recovery planning
    • Managing employee data
    • Medical device security
    • Transferring data securely
    • Using SSH
    • Additional resources
  • Search
  • About
  • Contact
  • Report an Incident
  • Home
  • Security Bulletins
  • LastPass breach puts you at risk

LastPass breach puts you at risk

Wednesday, January 04, 2023

UPDATE

As of January 9, the security community consensus is that LastPass may be downplaying the potential risk of this exposure. Because of this, the UISO recommends transitioning to a different passphrase manager to replace LastPass.

Background

On December 22nd, the popular password manager LastPass announced that they had a serious data breach. In August 2022, an unauthorized third party gained access to a cloud-based storage service containing archived backups of production data, including an unknown number of passphrase vaults. Although the passphrases in the vaults are encrypted, threat actors can brute force vaults they downloaded, even after you change your master passphrase.  

Impact

LastPass has shared that the threat actor copied information from a backup that contained encrypted copies of user passphrase vaults. The breach also includes basic customer account information, including names, email addresses, phone numbers, and some billing information. LastPass says that credit card information is not archived in this cloud storage environment.

UISO recommendations

If you use LastPass to store passwords, or other critical information, they may be exposed. Please take the following steps to keep your data safe:

  • Make sure your LastPass software is up to date and set a new vault master passphrase. The new passphrase should be at least four words or 20 characters long, whichever is longer.
  • Assess the risk of credentials stored in the vault. Prioritize changing those with the greatest risk (API Keys, logins without multi-factor authentication, credentials used to access resources that are highly valuable to the institution). Change any stored IU passwords immediately. 
  • Plan a transition to another passphrase manager. The security community consensus is that LastPass may be downplaying the potential risk of this exposure, and several of their security practices seem inadequate to mediate this kind of risk. The UISO recommends that users and teams move away from LastPass in favor of 1Password, Bitwarden, or other password managers.

Additionally

  • LastPass has also been removed from the Conditional Allow List and placed on the Not Allowed for Purchase list as part of the Software and Services Selection Process (SSSP). New and renewed purchases will no longer be approved.
  • The UISO predicts an uptick in phishing attacks related to LastPass. Please report any attempted phishing emails using the Outlook “Report Message” button in the toolbar, and report suspicious calls to the IU Service Desk.

Information Security & Policy resources

  • Leading in Cybersecurity
  • IU Data Management

Indiana University

Accessibility | College Scorecard | Privacy Notice | Copyright © 2024 The Trustees of Indiana University