LastPass Security Incident
As you likely already know, LastPass has been in the news recently for being the latest victim of a sophisticated security breach. We, of course, have been following the situation closely. LastPass has provided details and instructions directly to those affected. They have confirmed that the data stolen is strongly encrypted and the data within it can not be accessed if your master password is strong and remains confidential. With this in mind, LastPass is not recommending changing the passwords of the accounts stored inside of your password vault and for many, this may be the appropriate recommendation; however, we would like to modestly strengthen their current recommendation based on what we currently know and reinforce some important caveats in their notice.
We continue to recommend that all high-risk accounts (e.g. banking, accounts used for Stony Brook business) have two-factor authentication enabled. If this is not possible for some of those accounts and they are stored in your LastPass vault, it would be prudent to proactively reset the passwords for those select accounts. Even if they are protected by two-factor, resetting them once a year is advantageous in the event of an unknown compromise. Further, if any of the below items are true in your case, it would be prudent to reset all passwords stored within your vault and your master password:
1 - You reuse your master password on multiple websites.
2 - Your master password is less than 12 characters (16+ recommended) or lacking complexity (special characters, numbers, mixed-case).
3 - You have reason to believe that your master password may have been compromised (e.g. entered it by mistake into a phishing website).
Please be sure to review our updated guidelines on how to safely make use of an online password manager like LastPass and expect to see attempts to phish your master password in the coming weeks and months. We will continue to monitor the situation closely and update our recommendations accordingly if new information becomes available. You may choose to go beyond LastPass’ recommendations by resetting all stored passwords to reduce outstanding risk to an even further degree. If you are unsure of how to proceed, please do not hesitate to contact the Information Security team by means of the DoIT Service Desk.
Matt Nappi
Chief Information Security Officer
Assistant Vice President
Division of Information Technology
Lawrence M. Zacarese
Vice President for Enterprise Risk Management
Chief Security Officer