Update on LastPass Security Incident

January 23, 2023

What is LastPass?

LastPass is a password management software. It installs as a browser plug-in, standalone or mobile software. The user sets a “Master Password” and can use it to access all the different website passwords that are stored in a “Vault.” This makes it easier to store and manage passwords in a central location. There are many password managers out there, LastPass is just one of them.

LastPass architects their service so that they do not possess your unencrypted secrets nor the keys to decrypt them. Encryption and decryption happen in the local client software on your device – this is an important layer of protection that mitigates the risk if vault secrets are compromised.

If you use LastPass, please read the following.

Chapman University and LastPass

Chapman University Information Systems and Technology did not have a campus-wide implementation of LastPass as a tool.

Since the impact was deemed minimal, an immediate notification was not needed for the Chapman University community. This notification raises awareness for those using LastPass for their personal passwords.

What happened?

In December 2022, LastPass announced a breach of their services. Unknown actors obtained backup versions of user vaults (an individualized data store of websites, usernames, and passwords), including unencrypted and encrypted information.

What was obtained in the breach?

Copies of user vaults that include both unencrypted data, such as website URLs, and encrypted data, such as usernames and passwords, secure notes, or form-filled data.

What they did NOT get

The attackers did not get the encryption keys used to encrypt stored usernames and passwords. LastPass does not possess these keys, which are unique to each user.

What are the risks of this breach?

The unencrypted data gives attackers information about where you have accounts. This may allow them to target those accounts for phishing campaigns, etc.

The encrypted data is not readily accessible to the attackers and is encrypted by 256-bit AES (Advanced Encryption Standard) encryption. Nevertheless, they do possess a copy of that encrypted data.

While it is unlikely they can decrypt this data anytime soon, there is a risk. Some analysts believe it is only a matter of time before the attackers can crack a given vault and access the encrypted data.

What should LastPass users do to protect themselves?

Change all passwords for accounts that are stored in LastPass. The only way to fully protect yourself from the risk of your secrets eventually becoming known is to change all passwords stored in LastPass, including your Master Password.

If you have a LastPass account, ensure you are not storing Chapman University usernames and password(s). If you have, remove them immediately from LastPass, and change those passwords.
Never use your Chapman Username or passwords for non-Chapman accounts.
Be extra vigilant when it comes to phishing attempts related to your accounts in LastPass.
Avoid reusing passwords – if one account is compromised, you can assume adversaries will try those credentials on all your other accounts.
Always turn on 2-Factor Authentication for any account possible (especially the ones in your vault- where available).

Password managers make it more practical to use strong, unique passwords. Still, unfortunately, they are a rich target for bad actors, as we have seen in this case. No matter what password manager you choose, a strong primary or master password is vital in protecting your credentials. The Chapman University Information Security team will continue to monitor information regarding this breach.